Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
24 lines (12 sloc) 1.07 KB

#RAM Dumping

Purpose: Examine memory dumps of an individual system, looking for signs of malware or other malicious activities

Data Required: RAM dumps (typically HUGE)

Collection Considerations: Require a specialized tool (e.g., Volatility)

Description

RAM dumps of running systems can often contain lots of interesting information, such as lists of running processes, open ports, executable images and logged on users. Using various tools, you can extract these types of information and potentially look for signs of malicious activities.

Checking for "known-bad" is one obvious application. D. Sharpe suggests also looking for signs of BIOS or firmware implants (detecting tampering with the interrupt table and checking uppermost addresses of real-mode memory).

Other Notes

Better description needed here.

More Info

  • Intrusion Hunting for the Masses, David Sharpe (HackMiami 2016)
  • "Art of Memory Forensics", Ligh, Case, Levy, Walters, Wiley Publishing, 2014 (page 75 addresses BIOS/firmware attacks)
You can’t perform that action at this time.