Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time

#Comparing Host Images/Memory Dumps to Known-Good Baselines

Purpose: Identify deviations from "known-good" which might tend to indicate the presence of malware on a system

Data Required: Memory dumps, Registry dumps, "known good" data

Collection Considerations: This works best when tracked over time rather than as a single comparison. Volatility plugins such as "stalker", "profiler", "regcomp" & "hunter" are useful

Analysis Techniques:


Other Notes

More Info

  • Every Step You Take (video needed, if available)
  • “Several Ways to Skin a Rat", Jamie "Gleeda” Levy (Link needed)