Note: This post originally appeared on the SANS Forensics blog

As memory forensics has become better understood and more widely accomplished, tools have proliferated.  More importantly, the capabilities of the tools have greatly improved.  Traditionally, memory analysis has been the sole domain of Windows internals experts, but recent tools now make analysis feasible for the rank and file forensic examiner.  Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field.   We are also seeing novel ways to attack the problem.  One of the more interesting developments I have been following lately is the advent of live memory analysis.

I credit the free Mandiant Memoryze tool with popularizing the idea of performing live memory analysis, and I believe it is a revolutionary change.  The idea itself could be as controversial as creating a memory image was just a few years ago.  Do you remember the naysayers questioning how our forensic analysis could possibly be valid if we were to run our imaging applications on the live system?  Shouldn’t we still be pulling the plug?  What would they say if we now told them we were going to play “Find the Hacker” on that same live system?  Luckily it turns out that the system impact of doing a live analysis versus (or in addition to) taking a memory image is minimal.  And the benefits are great:

  • Inclusion of the system pagefile, providing a more complete picture of memory
  • Digital signature checks of process and driver executables
  • More accurate heuristics matching
  • Faster triage capability

Keep in mind that live analysis occurs by accessing physical memory, and not relying upon API calls, open handles, or debuggers.  Thus it is just as effective at defeating advanced malware and rootkits as analyzing a standard memory image.  Convinced yet?  If so, here is how to perform a live memory analysis with the new free tool, Redline:

Continue Reading…



Sony Playstation Network Hack Continue Reading…

CidoxKaspersky labs recently provided an interesting writeup of a scareware rootkit that infects both the Master Boot Record (MBR) and the NTFS Volume Boot Record (VBR).

The interesting part is that the Initial Program Loader (IPL) within the NTFS VBR is overwritten.  It seems that the traditional method of looking for modifications to the MBR and any code following it is not enough.  A sanity check of the NTFS boot loader (NTLDR in XP and before, BOOTMGR in Vista and later) should also be accomplished.

A couple of great pages for detailed information on the MBR and NTFS VBR follow.


Digitally signed malware on the rise <-IR procedures need to adapt (via @) #DFIR
Chad Tilbury

Note: This post originally appeared on the SANS Forensics blog

As Windows Registry artifacts go, the “Shellbag” keys tend to be some of the more complicated artifacts we have to decipher.  But they are worth the effort, giving an excellent means to prove the existence of files and folders along with user knowledge.  Shellbags can be used to answer the difficult questions of data enumeration in intrusion cases, identify the contents of long gone removable devices, and show the contents of previously mounted encrypted volumes.   Information persists for deleted folders, providing an invaluable reference for items no longer part of the file system.

Continue Reading…

60 Seconds - Things That Happen On Internet Every Sixty SecondsInfographic by- Shanghai Web Designers

Hack Attack Infographic Continue Reading…

“You can help your organization if you consider computer forensics as a new basic element in what is known as a ‘defense-in-depth’ approach to network and computer security.”

– US-CERT Whitepaper

Computer forensics growing part of Fed cybersecurity strategy