Having obtained an image of the memory of a compromised system, what to do with it? This part of the forensic process is called analysis, and this webinar will go through the first steps of analysing a memory image, looking into processes, network and temporary filesystems as well as some operating system specific artefacts, such as the Windows registry of the Linux Bash history.
Malware that is other compressed and encrypted on disk is usually unpacked and in cleartext in memory. Likewise, rootkits that conceal adversary activities can be found with relative ease in the memory image of a compromised system. This webinar will show some techniques to obtain malware that works along common ways, such as DLL injection, malicious kernel modules, or system call table...
In this session, we will discuss the basic concepts of persistent storage forensics. Furthermore, some approaches with easy-to-use basic tools will be presented and demonstrated.