pbnetworks - Computer Security Solutions

pbnetworks - Computer Security Solutions

03/27/16 Forensic Analysis with Redline and Volatility

We show you how to dig deep to find hidden and covert processes, clandestine communications, and signs of misconduct on your network.

In a previous article [1], I described how to obtain a memory image from a Windows computer that would allow forensic analysis. I briefly discussed using F-Response TACTICAL [2] to get the memory image, and then Volatility [3] and Mandiant Redline [4] for further investigation. In this paper, I dive more deeply into Redline and Volatility.

To begin, I review a raw memory dump of a known malware variant (see the "Malware Image" box) with Mandiant Redline. After firing up Redline, I chose By Analyzing a Saved Memory File under Analyze Data and browsed to the location of the memory image. Next, I edited my script to include Strings for both Process Listing and Driver Enumeration. Finally, I chose a destination to store the output for future analysis and to analyze memory dumps.

Don't miss an issue of the magazine for admins! Subscribe now!

Issue #21 will be shipped to subscribers and available on newsstands starting approximately:

UK/Europe: June 23
North America: July 18
Australia: August 18

Return to Home
Copyright © 2024 pbnetworks. All Rights Reserved. ip information