Public Replay: THA Deep Dive – Analyzing Malware in Memory
On Monday December 18, 2012 we had our first THA Deep Dive Webinar. Andrew Case, THA instructor and Volatility core developer, discussed Analyzing Malware in Memory.
Andrew went over many topics, starting with what memory forensics actually is, and the differences between memory and live forensics. He then went on to discuss Volatility, a framework for the extraction of digital artifacts from volatile memory (RAM) samples.
Detailed information about Volatility covered the following areas:
- Per-Process Analysis
- API hooking
- Misc. Process Data
- GUI Subsystem
- Registry in Memory
- IRP Hooking
- MBR & MFT
The session wrapped up with suggested resources for further reading, as well as reference links in the slides.
There were some audio issues during the presentation, so as you watch the video, know that it isn’t your computer! The slides are available for download here.
Please feel free to contact us if you have any questions!