SlideShare uma empresa Scribd logo

n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden

Transferir como PPTX, PDF
Sunil Kumar
Sunil Kumar

This document provides an overview of analyzing memory forensics using Volatility 2.4. It demonstrates running various Volatility plugins like pstree to print processes, connscan to scan for TCP connections, printkey to print registry keys and values, and malfind to find hidden code injections. The document analyzes a Zeus memory sample, identifying processes, connections, registry keys used by the malware, and injected code, showing how Volatility can be used to analyze malware behavior and artifacts in memory forensics.

Software
1 de 10
{ Null Humla Session 0.1 Memory forensics with Volatility2.4
 Usage  Vol.py –f image --profile=(imageinfo) –plugins  -f parameter  It is used to locate the source memory image  Vol.py –f sality.vmem  imageinfo  To identify the memory image  Vol.py –f sality.vmem imageinfo  Vol.py –f sality.vmem –proflie=WinXPSP2x86 connscan Steps in Analysing
pstree  Prints the process list in tree structure. Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 pstree
Connscan  Scans for tcp connections Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 connscan
 Lets run the pstree command again….. Interesting connections ??
Printkey  Print a registry key and its subkey and values Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 printkey –K “MicrosoftWindowsCurrentVersionRun” Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 printkey –K “MicrosoftWindowsNTCurrentVersion Winlogon”
Malfind  Find hidden or injected code/Dll Vol.py –f zeus.vmem –profile =WinXPSP2x86 malfind –dump-dir ~/code-injections
Vol.py –f zeus.vmem –profile =WinXPSP2x86 malfind -p 856 –dump-dir ~/code-injections Too much data ?? Let’s narrow it down !!!
Vol.py –f zeus.vmem printkey –K “ControlSet001ServicesSharedAccess ParametersFirewallPolicyStandard Profile” This malware shutdowns firewall also …..
EOF…. QUESTIONS …..

Recomendados

Glusterfs session #18 intro to fuse and its trade offs
Glusterfs session #18 intro to fuse and its trade offsGlusterfs session #18 intro to fuse and its trade offs
Glusterfs session #18 intro to fuse and its trade offsPranith Karampuri
 
Glusterfs session #8 memory tracking infra, io-threads
Glusterfs session #8 memory tracking infra, io-threadsGlusterfs session #8 memory tracking infra, io-threads
Glusterfs session #8 memory tracking infra, io-threadsPranith Karampuri
 
Tmux Development Workflow
Tmux Development WorkflowTmux Development Workflow
Tmux Development Workflowjschembri
 
Sistemas operacionais 13
Sistemas operacionais 13Sistemas operacionais 13
Sistemas operacionais 13Nauber Gois
 
50 Perintah Dasar pada linux
50 Perintah Dasar pada linux50 Perintah Dasar pada linux
50 Perintah Dasar pada linuxReskyRian
 
Creating a Name seperator Custom Control using C#
Creating a Name seperator Custom Control using C#Creating a Name seperator Custom Control using C#
Creating a Name seperator Custom Control using C#priya Nithya
 
Perintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating SistemPerintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating SistemRoziq Bahtiar
 
PenTest using Python By Purna Chander
PenTest using Python By Purna ChanderPenTest using Python By Purna Chander
PenTest using Python By Purna Chandernforceit
 

Recomendados

Glusterfs session #18 intro to fuse and its trade offs
Glusterfs session #18 intro to fuse and its trade offsGlusterfs session #18 intro to fuse and its trade offs
Glusterfs session #18 intro to fuse and its trade offsPranith Karampuri
 
Glusterfs session #8 memory tracking infra, io-threads
Glusterfs session #8 memory tracking infra, io-threadsGlusterfs session #8 memory tracking infra, io-threads
Glusterfs session #8 memory tracking infra, io-threadsPranith Karampuri
 
Tmux Development Workflow
Tmux Development WorkflowTmux Development Workflow
Tmux Development Workflowjschembri
 
Sistemas operacionais 13
Sistemas operacionais 13Sistemas operacionais 13
Sistemas operacionais 13Nauber Gois
 
50 Perintah Dasar pada linux
50 Perintah Dasar pada linux50 Perintah Dasar pada linux
50 Perintah Dasar pada linuxReskyRian
 
Creating a Name seperator Custom Control using C#
Creating a Name seperator Custom Control using C#Creating a Name seperator Custom Control using C#
Creating a Name seperator Custom Control using C#priya Nithya
 
Perintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating SistemPerintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating SistemRoziq Bahtiar
 
PenTest using Python By Purna Chander
PenTest using Python By Purna ChanderPenTest using Python By Purna Chander
PenTest using Python By Purna Chandernforceit
 
Tmux tips and_tricks
Tmux tips and_tricksTmux tips and_tricks
Tmux tips and_tricksArc & Codementor
 
Processes And Job Control
Processes And Job ControlProcesses And Job Control
Processes And Job Controlahmad bassiouny
 
Glusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecyclesGlusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecyclesPranith Karampuri
 
RedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative worksRedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative worksMd Shihab
 
Combine vs RxSwift
Combine vs RxSwiftCombine vs RxSwift
Combine vs RxSwiftshark-sea
 
Using strace
Using straceUsing strace
Using straceRyan Robson
 
report about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاكreport about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاكShwana M
 
Debian
DebianDebian
DebianYUDDYAL HAMDANIL
 
Mongo db tailable cursors
Mongo db tailable cursorsMongo db tailable cursors
Mongo db tailable cursorsBill Kunneke
 
Zfs replication overview
Zfs replication overviewZfs replication overview
Zfs replication overview鵬 大
 
Glusterfs session #13 replication introduction
Glusterfs session #13 replication introductionGlusterfs session #13 replication introduction
Glusterfs session #13 replication introductionPranith Karampuri
 
Partyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeupPartyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeupДмитрий Бумов
 
Rhel 7 root password reset
Rhel 7 root password resetRhel 7 root password reset
Rhel 7 root password resetMd Shihab
 
Unix environment
Unix environmentUnix environment
Unix environmentEr Mittinpreet Singh
 
Emuladores
EmuladoresEmuladores
EmuladoresBayoch
 
Installation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling firstInstallation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling firstJawad Khan
 
Unix environment [autosaved]
Unix environment [autosaved]Unix environment [autosaved]
Unix environment [autosaved]Er Mittinpreet Singh
 
Unix
UnixUnix
UnixHari Krishna
 
Ultimate Unix Meetup Presentation
Ultimate Unix Meetup PresentationUltimate Unix Meetup Presentation
Ultimate Unix Meetup PresentationJacobMenke1
 
QEMU Sandboxing for dummies
QEMU Sandboxing for dummiesQEMU Sandboxing for dummies
QEMU Sandboxing for dummiesEduardo Otubo
 
Basic command for linux
Basic command for linuxBasic command for linux
Basic command for linuxgt0ne
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 

Mais conteúdo relacionado

Mais procurados

Processes And Job Control
Processes And Job ControlProcesses And Job Control
Processes And Job Controlahmad bassiouny
 
Glusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecyclesGlusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecyclesPranith Karampuri
 
RedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative worksRedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative worksMd Shihab
 
Combine vs RxSwift
Combine vs RxSwiftCombine vs RxSwift
Combine vs RxSwiftshark-sea
 
report about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاكreport about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاكShwana M
 
Mongo db tailable cursors
Mongo db tailable cursorsMongo db tailable cursors
Mongo db tailable cursorsBill Kunneke
 
Zfs replication overview
Zfs replication overviewZfs replication overview
Zfs replication overview鵬 大
 
Glusterfs session #13 replication introduction
Glusterfs session #13 replication introductionGlusterfs session #13 replication introduction
Glusterfs session #13 replication introductionPranith Karampuri
 
Rhel 7 root password reset
Rhel 7 root password resetRhel 7 root password reset
Rhel 7 root password resetMd Shihab
 
Emuladores
EmuladoresEmuladores
EmuladoresBayoch
 
Installation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling firstInstallation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling firstJawad Khan
 
Ultimate Unix Meetup Presentation
Ultimate Unix Meetup PresentationUltimate Unix Meetup Presentation
Ultimate Unix Meetup PresentationJacobMenke1
 
QEMU Sandboxing for dummies
QEMU Sandboxing for dummiesQEMU Sandboxing for dummies
QEMU Sandboxing for dummiesEduardo Otubo
 

Mais procurados (20)

Tmux tips and_tricks
Tmux tips and_tricksTmux tips and_tricks
Tmux tips and_tricks
 
Processes And Job Control
Processes And Job ControlProcesses And Job Control
Processes And Job Control
 
Glusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecyclesGlusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecycles
 
RedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative worksRedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative works
 
Combine vs RxSwift
Combine vs RxSwiftCombine vs RxSwift
Combine vs RxSwift
 
Using strace
Using straceUsing strace
Using strace
 
report about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاكreport about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاك
 
Debian
DebianDebian
Debian
 
Mongo db tailable cursors
Mongo db tailable cursorsMongo db tailable cursors
Mongo db tailable cursors
 
Zfs replication overview
Zfs replication overviewZfs replication overview
Zfs replication overview
 
Glusterfs session #13 replication introduction
Glusterfs session #13 replication introductionGlusterfs session #13 replication introduction
Glusterfs session #13 replication introduction
 
Partyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeupPartyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeup
 
Rhel 7 root password reset
Rhel 7 root password resetRhel 7 root password reset
Rhel 7 root password reset
 
Unix environment
Unix environmentUnix environment
Unix environment
 
Emuladores
EmuladoresEmuladores
Emuladores
 
Installation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling firstInstallation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling first
 
Unix environment [autosaved]
Unix environment [autosaved]Unix environment [autosaved]
Unix environment [autosaved]
 
Unix
UnixUnix
Unix
 
Ultimate Unix Meetup Presentation
Ultimate Unix Meetup PresentationUltimate Unix Meetup Presentation
Ultimate Unix Meetup Presentation
 
QEMU Sandboxing for dummies
QEMU Sandboxing for dummiesQEMU Sandboxing for dummies
QEMU Sandboxing for dummies
 

Semelhante a n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden

Basic command for linux
Basic command for linuxBasic command for linux
Basic command for linuxgt0ne
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
List command linux fidora
List command linux fidoraList command linux fidora
List command linux fidoraJinyuan Loh
 
Terminal linux commands_ Fedora based
Terminal linux commands_ Fedora basedTerminal linux commands_ Fedora based
Terminal linux commands_ Fedora basedNavin Thapa
 
Basic linux commands
Basic linux commandsBasic linux commands
Basic linux commandsNguyen Vinh
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheetMartin Cabrera
 
Perf stat windows
Perf stat windowsPerf stat windows
Perf stat windowsAccenture
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
ch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemyushiang fu
 
File encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdfFile encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdfjyothimuppasani1
 
The one page linux manual
The one page linux manualThe one page linux manual
The one page linux manualSaikat Rakshit
 
The one page linux manual
The one page linux manualThe one page linux manual
The one page linux manualCraig Cannon
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdfGiovaRossi
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdfGiovaRossi
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdfGiovaRossi
 

Semelhante a n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden (20)

Basic command for linux
Basic command for linuxBasic command for linux
Basic command for linux
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
List command linux fidora
List command linux fidoraList command linux fidora
List command linux fidora
 
Terminal linux commands_ Fedora based
Terminal linux commands_ Fedora basedTerminal linux commands_ Fedora based
Terminal linux commands_ Fedora based
 
Unix commands
Unix commandsUnix commands
Unix commands
 
Basic linux commands
Basic linux commandsBasic linux commands
Basic linux commands
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
 
Perf stat windows
Perf stat windowsPerf stat windows
Perf stat windows
 
Top ESXi command line v2.0
Top ESXi command line v2.0Top ESXi command line v2.0
Top ESXi command line v2.0
 
Hta w22
Hta w22Hta w22
Hta w22
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Plesk CLI Wrapper
Plesk CLI WrapperPlesk CLI Wrapper
Plesk CLI Wrapper
 
ch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystem
 
File encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdfFile encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdf
 
sift_cheat_sheet.pdf
sift_cheat_sheet.pdfsift_cheat_sheet.pdf
sift_cheat_sheet.pdf
 
The one page linux manual
The one page linux manualThe one page linux manual
The one page linux manual
 
The one page linux manual
The one page linux manualThe one page linux manual
The one page linux manual
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdf
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdf
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdf
 

Mais de Sunil Kumar

Basics of Cryptography
Basics of CryptographyBasics of Cryptography
Basics of CryptographySunil Kumar
 
3Es of Ransomware
3Es of Ransomware3Es of Ransomware
3Es of RansomwareSunil Kumar
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security PerspectiveSunil Kumar
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Sunil Kumar
 
Dt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdontsDt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdontsSunil Kumar
 
Nullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBINullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBISunil Kumar
 

Mais de Sunil Kumar (7)

Basics of Cryptography
Basics of CryptographyBasics of Cryptography
Basics of Cryptography
 
3Es of Ransomware
3Es of Ransomware3Es of Ransomware
3Es of Ransomware
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security Perspective
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Jsonp null-meet-02-2015
Jsonp null-meet-02-2015
 
Dt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdontsDt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdonts
 
Nullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBINullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBI
 

Último

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...masabamasaba
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...chiefasafspells
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburgmasabamasaba
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...masabamasaba
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2
 

Último (20)

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 

n|u Dharamsala Humla : Memory Forensic by Tenzin Chokden

  • 1. { Null Humla Session 0.1 Memory forensics with Volatility2.4
  • 2.  Usage  Vol.py –f image --profile=(imageinfo) –plugins  -f parameter  It is used to locate the source memory image  Vol.py –f sality.vmem  imageinfo  To identify the memory image  Vol.py –f sality.vmem imageinfo  Vol.py –f sality.vmem –proflie=WinXPSP2x86 connscan Steps in Analysing
  • 3. pstree  Prints the process list in tree structure. Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 pstree
  • 4. Connscan  Scans for tcp connections Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 connscan
  • 5.  Lets run the pstree command again….. Interesting connections ??
  • 6. Printkey  Print a registry key and its subkey and values Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 printkey –K “MicrosoftWindowsCurrentVersionRun” Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 printkey –K “MicrosoftWindowsNTCurrentVersion Winlogon”
  • 7. Malfind  Find hidden or injected code/Dll Vol.py –f zeus.vmem –profile =WinXPSP2x86 malfind –dump-dir ~/code-injections
  • 8. Vol.py –f zeus.vmem –profile =WinXPSP2x86 malfind -p 856 –dump-dir ~/code-injections Too much data ?? Let’s narrow it down !!!
  • 9. Vol.py –f zeus.vmem printkey –K “ControlSet001ServicesSharedAccess ParametersFirewallPolicyStandard Profile” This malware shutdowns firewall also …..

Notas do Editor

  1. We have to select a profile since by default It takes winxpsp2x86
  2. Looks like there is nothing wrong with the process… see if its making any connections Run plugins sockets also ….
  3. SEE WHO OWNS THE PROCESS AND WHO IS ITS PARENTS RUN THE IP IN VIRUS TOTAL AND SEE
  4. IF its connecting to a site… it will make sure to be persistant .. Since it doesn’t make sense it will loose connection on restart …. Lets look into registries for autorun entries …. Lot of entries in registry …. We have to try all.
  5. These are possible code injections … but the exe you get here is not the whole process but only the injected part …. You can always load it in vm and start your normal analysis. IF you want whole process dump then the parameter is procdump –p id dump-dir
  6. -p parameter to select a particular process … You can take a hash of it and always find something on the virus total. take an md5sum of both file and submit to virus total.
  7. This malwares shutdowns the fireswall also …