Public Replay: THA Deep Dive – Analyzing Malware in Memory

Dec 31 2012 Josh Deep Dive, Webinar 2 Comments

On Monday December 18, 2012 we had our first THA Deep Dive Webinar. Andrew Case, THA instructor and Volatility core developer, discussed Analyzing Malware in Memory.

Andrew went over many topics, starting with what memory forensics actually is, and the differences between memory and live forensics. He then went on to discuss Volatility, a framework for the extraction of digital artifacts from volatile memory (RAM) samples.

Detailed information about Volatility covered the following areas:

  • Per-Process Analysis
  • API hooking
  • Misc. Process Data
  • GUI Subsystem
  • Registry in Memory
  • Callbacks
  • IRP Hooking
  • Devices
  • MBR & MFT

The session wrapped up with suggested resources for further reading, as well as reference links in the slides.

There were some audio issues during the presentation, so as you watch the video, know that it isn’t your computer! The slides are available for download here.

Please feel free to contact us if you have any questions!


2 Comments

Leave a comment
Ran2

January 1, 2013 at 9:12 pm

Excellent presentation and it is insightful. It is best to have a plug-in that can compare different snapshots of the same machine before and after the malware infection.

ViRii

January 17, 2013 at 10:33 am

good presentation, very educative
@Ran2, Regshot do what you want

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>