Welcome to Scribd!

Skip carousel

Lab 18-19: Memory Dump Tool (Moonsols Windows Memory Toolkit) Memory Analysis Tool (Volatility Framework)

Uploaded by

THUẬN NGUYỄN MINH

0% found this document useful (0 votes)

2 views14 pages

Original Title

Lab 18-19

Copyright

Available Formats

PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

0% found this document useful (0 votes)

2 views14 pages

Lab 18-19: Memory Dump Tool (Moonsols Windows Memory Toolkit) Memory Analysis Tool (Volatility Framework)

Uploaded by

THUẬN NGUYỄN MINH

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

Jump to Page

You are on page 1of 14

Search inside document

Lab 18-19:

Memory Dump Tool (MoonSols Windows

Memory Toolkit)
Memory Analysis Tool (Volatility
Framework) I

Because teaching teaches

teachers to teach
Memory Forensics
2

 Memory forensics refers to finding and extracting

forensic artifacts from a computer’s physical memory
(RAM). It contains critical information about the
runtime state of the system.
 By capturing an entire copy of RAM and analyzing it
on a separate computer, it is possible to reconstruct
the state of the original system:
 Applications were running.
 Network connections were active, and
 Many other artifacts.

2
MoonSols
3

 MoonSols Windows Memory Toolkit supports

memory window OS.
 The attractive features:
 hashing with MD5, SHA-1, and SHA-256.
 Transmit memory dumps across the Network.
 map memory in three different ways.
 convert full memory dumps to Microsoft crash dumps
 convert hibernation files into memory dumps.
 support for scripting, dumping memory from a greater number
of OS versions, converting from an x64 architecture.

3
Using MoonSols/win64dd
4

• Download MoonSols on
https://www.heise.de/download/product/
moonsols-windows-memory-toolkit-
81902/download/danke?id=81902-1

4
Using MoonSols/win64dd
5

win64dd shows
details about the
computer’s
memory
configuration

5
Using MoonSols/win64dd
6

win64dd shows
details about the
computer’s
memory
configuration

6
Using MoonSols/dumpIT
7

Create dump file to

capture memory
win64dd -d /f
c:\memory.dmp

7
Volatility
8

• Using volatility to examine the memory

file’s contents for malicious artifacts from
dump file.
• Download on
http://www.volatilityfoundation.org/relea
ses

8
Volatility
9

• Using volatility to examine the memory

file’s contents for malicious artifacts from
dump file.
• Download on
http://www.volatilityfoundation.org/relea
ses
• Download dump memory on
http://www.jonrajewski.com/data/Malwa
re/stuxnet.vmem.zip

9
Volatility
10

• To start, the dlldump plugin will be used

to extract the main application executable
and all* loaded DLLs inside of each**
process

10
Detection with ClamScan
11

11
Advantages to this approach
12

 Speed: ClamAV can take anywhere from 1 minute

to 10 minutes to scan all files extracted from
memory samples that we regularly encounter.
 Scalability: Since the entire triage process
described in the writeup can be scripted and will
almost always be finished in less than 15 minutes,
this approach to detecting known malware is
highly scalable.

12
Advantages to this approach
13

 Memory-Only Malware & Injected Code:

Through the use of malfind, we are able to find
code injected into memory that may never exist on
disk and that may have been injected in ways that
traditional endpoint security tools would have
missed.
 No Need to Upload Samples: By running your
testing local, you bypass the need to upload
potential targeted malware to services such as
VirusTotal or to your anti-virus vendor.

13
Q&A

HACKING WITH KALI LINUX PENETRATION TESTING: Mastering Ethical Hacking Techniques with Kali Linux (2024 Guide for Beginners)
From Everand
HACKING WITH KALI LINUX PENETRATION TESTING: Mastering Ethical Hacking Techniques with Kali Linux (2024 Guide for Beginners)
BARBARA HEATH
No ratings yet
Linux in Action
From Everand
Linux in Action
David Clinton
No ratings yet
Yash Darole DF 5
Document7 pages
Yash Darole DF 5
05. Yash Darole
No ratings yet
Memory Forensics - RALFKAIROS
Document40 pages
Memory Forensics - RALFKAIROS
Akeu Mulyajaya
No ratings yet
Static Malware Analysis Techniques
Document15 pages
Static Malware Analysis Techniques
vibhi
No ratings yet
2021 09 28 - Landlock Oss
Document30 pages
2021 09 28 - Landlock Oss
Y Y
No ratings yet
Discovering Oracle Accounts With
Document40 pages
Discovering Oracle Accounts With
Steven Conley
No ratings yet
SCTS 242: Network Intrusion Detection and Penetration Testing
Document21 pages
SCTS 242: Network Intrusion Detection and Penetration Testing
Abraham Amsel
No ratings yet
Capturing Memory Dumps With Microsoft's&reg Debugging Tools For Windows
Document10 pages
Capturing Memory Dumps With Microsoft's&reg Debugging Tools For Windows
venu
No ratings yet
Samim-DFMA Lab Workbook
Document48 pages
Samim-DFMA Lab Workbook
Garvit Hooda
No ratings yet
Helix Tool Use Case
Document32 pages
Helix Tool Use Case
Santosh kumar behera
No ratings yet
Learning Objectives of Memory Analysis: SEPTEMBER 27, 2020
Document14 pages
Learning Objectives of Memory Analysis: SEPTEMBER 27, 2020
simasiku.oliver99
No ratings yet
Android Forensics: Boot Process, Security, System, Rooting, Dumping, Analysis, Etc
Document27 pages
Android Forensics: Boot Process, Security, System, Rooting, Dumping, Analysis, Etc
Francesco Vianello
No ratings yet
04-OS and Multimedia Forensics
Document189 pages
04-OS and Multimedia Forensics
Mohammed Lajam
100% (1)
© 2018 Caendra Inc. - Hera For Ptpv5 - Linux Exploitation (Lateral Movement)
Document14 pages
© 2018 Caendra Inc. - Hera For Ptpv5 - Linux Exploitation (Lateral Movement)
Saw Gyi
No ratings yet
Appendix A
Document54 pages
Appendix A
ramakrishnan drhv
No ratings yet
CF Practicals PDF
Document117 pages
CF Practicals PDF
Nikhil Amodkar
No ratings yet
Windows Memory Analysis With Volatility
Document21 pages
Windows Memory Analysis With Volatility
raul Zuloaga
No ratings yet
Experiment-2 Digital Forensics AIM-Capture The Memory of Any OS System and Try To Analyse .Mem File On Kali Using Volatility Tool DATE: 06-02-2021
Document21 pages
Experiment-2 Digital Forensics AIM-Capture The Memory of Any OS System and Try To Analyse .Mem File On Kali Using Volatility Tool DATE: 06-02-2021
TANISHA PATHAK
No ratings yet
Accelerated Windows Malware Analysis With Memory Dumps (PDFDrive)
Document235 pages
Accelerated Windows Malware Analysis With Memory Dumps (PDFDrive)
Luz Polo
No ratings yet
McAfee SuperDAT Performing A Command-Line Scan in Windows Vista XP 2003 or 2000
Document6 pages
McAfee SuperDAT Performing A Command-Line Scan in Windows Vista XP 2003 or 2000
dige83
No ratings yet
Android - 2
Document8 pages
Android - 2
Rohit Sarna
No ratings yet
Approach To Learning
Document8 pages
Approach To Learning
simasiku.oliver99
No ratings yet
Software Cracking: Navigation Search
Document8 pages
Software Cracking: Navigation Search
Nagalingaraja Rnr
No ratings yet
2: Getting Started With LAMMPS: J. Matthew D. Lane
Document9 pages
2: Getting Started With LAMMPS: J. Matthew D. Lane
Haydar Akdağ
No ratings yet
Basic Malware
Document15 pages
Basic Malware
Rin Tohsaka
No ratings yet
File Combiner and Extractor
Document43 pages
File Combiner and Extractor
Anurag Khotkar
100% (1)
Computer Forensics Process For Beginners
Document8 pages
Computer Forensics Process For Beginners
Sachin Jung Karki
No ratings yet
Kailas Patil - Tutorial To Configure and Use Snort IDS On Windows XP
Document2 pages
Kailas Patil - Tutorial To Configure and Use Snort IDS On Windows XP
lara2005
No ratings yet
Detect Malware W Memory Forensics
Document27 pages
Detect Malware W Memory Forensics
محيي الباز
No ratings yet
RPM File Extraction and Storage Configuration
Document62 pages
RPM File Extraction and Storage Configuration
Isha Tripathi
No ratings yet
20 Sood Enbody Botnets Die Hard ?
Document50 pages
20 Sood Enbody Botnets Die Hard ?
Ashish Saikia
No ratings yet
Hp-Ux Root Mirror
Document13 pages
Hp-Ux Root Mirror
joshua551
No ratings yet
Windows Privilege Escalation Scripts
Document56 pages
Windows Privilege Escalation Scripts
vybi
No ratings yet
25 Run Commands in Windows You Should Memorize - EN
Document19 pages
25 Run Commands in Windows You Should Memorize - EN
Stay
No ratings yet
How To Reimage A Node Using A Usb Flash Drive Guide
Document9 pages
How To Reimage A Node Using A Usb Flash Drive Guide
Peter Sonap
No ratings yet
Debugging Heap Corruption in Visual C++ Using Microsoft Debugging Tools For Windows
Document12 pages
Debugging Heap Corruption in Visual C++ Using Microsoft Debugging Tools For Windows
faklsdjfnasdjkfpdaskjçflkasdj
No ratings yet
Memorious Documentation
Document18 pages
Memorious Documentation
Robin Kiplangat
No ratings yet
Practical Malware Analysis
Document65 pages
Practical Malware Analysis
uchihamadaraclan00
No ratings yet
4 5832631030384691806
Document16 pages
4 5832631030384691806
Tarek Hamze
No ratings yet
Lampsec ctf6 PDF
Document50 pages
Lampsec ctf6 PDF
Aditama Dev
No ratings yet
Virtuali Sations
Document3 pages
Virtuali Sations
Shilps Sellathurai
No ratings yet
1.1.3 Input, Output and Storage
Document12 pages
1.1.3 Input, Output and Storage
subashini silva
No ratings yet
Kernel Panics
Document28 pages
Kernel Panics
PSG
No ratings yet
4 Ways Clone Entire Hard Drive Linux
Document8 pages
4 Ways Clone Entire Hard Drive Linux
Jorge Daniel Martín
No ratings yet
LiME - Linux Memory Extractor
Document8 pages
LiME - Linux Memory Extractor
Christos Peristeris
No ratings yet
Eroraha Memory Forensics
Document24 pages
Eroraha Memory Forensics
Adriana Hernandez
No ratings yet
Cyber Security Analyst Hands-on Training Course
Document9 pages
Cyber Security Analyst Hands-on Training Course
md shahriar samir
No ratings yet
FOR518 Ex 0 G01 01
Document5 pages
FOR518 Ex 0 G01 01
Elfawizzy
No ratings yet
OS Services User Interface Program Execution File Manipulation
Document4 pages
OS Services User Interface Program Execution File Manipulation
Hazem Mohamed
No ratings yet
Glomosim
Document6 pages
Glomosim
Mylsamy Shanmugam
No ratings yet
Forensic1394 - WhitePaper
Document13 pages
Forensic1394 - WhitePaper
Ion Vasilescu
No ratings yet
MCA Cyber Security Concepts and Practices 14
Document9 pages
MCA Cyber Security Concepts and Practices 14
gs menon
No ratings yet
Costumizing Slax Linux
Document32 pages
Costumizing Slax Linux
six ballack
No ratings yet
Sun Solaris
Document12 pages
Sun Solaris
Prosenjit
No ratings yet
Analysis of Physical Image Acquisition Forensic Tools For Android Smartphones
Document8 pages
Analysis of Physical Image Acquisition Forensic Tools For Android Smartphones
Satrio Ing Bayu
No ratings yet
UNWRAPPING TOOLS
Document12 pages
UNWRAPPING TOOLS
minojnext
No ratings yet
Solaris Security Step by Step
Document16 pages
Solaris Security Step by Step
b_binev
No ratings yet
18ai63 Module4
Document40 pages
18ai63 Module4
Varshini Ravikumar
No ratings yet
Workouts 1
Document26 pages
Workouts 1
Hari Krishnan
No ratings yet
Lab 13: Analysis Automation Tools: Because Teaching Teaches Teachers To Teach
Document5 pages
Lab 13: Analysis Automation Tools: Because Teaching Teaches Teachers To Teach
THUẬN NGUYỄN MINH
No ratings yet
U6 - Clinic and Insurance
Document5 pages
U6 - Clinic and Insurance
THUẬN NGUYỄN MINH
No ratings yet
Lab 11: Using FOG For Cloning and Imaging Disks: Because Teaching Teaches Teachers To Teach
Document6 pages
Lab 11: Using FOG For Cloning and Imaging Disks: Because Teaching Teaches Teachers To Teach
THUẬN NGUYỄN MINH
No ratings yet
Lab 17: Implementing Debugger: Because Teaching Teaches Teachers To Teach
Document6 pages
Lab 17: Implementing Debugger: Because Teaching Teaches Teachers To Teach
THUẬN NGUYỄN MINH
No ratings yet
Lab 6: Public AV Scanners: Because Teaching Teaches Teachers To Teach
Document11 pages
Lab 6: Public AV Scanners: Because Teaching Teaches Teachers To Teach
THUẬN NGUYỄN MINH
No ratings yet
Lab 15: Identifying Packers Using Peid: Because Teaching Teaches Teachers To Teach
Document9 pages
Lab 15: Identifying Packers Using Peid: Because Teaching Teaches Teachers To Teach
THUẬN NGUYỄN MINH
No ratings yet
Lab 7: Ma With Cwsandbox, Anubis: Because Teaching Teaches Teachers To Teach
Document10 pages
Lab 7: Ma With Cwsandbox, Anubis: Because Teaching Teaches Teachers To Teach
THUẬN NGUYỄN MINH
No ratings yet
Lab 2-3: Clamav: Because Teaching Teaches Teachers To Teach
Document10 pages
Lab 2-3: Clamav: Because Teaching Teaches Teachers To Teach
THUẬN NGUYỄN MINH
No ratings yet
Lab 5: Sandbox Setup and Configuration: Because Teaching Teaches Teachers To Teach
Document11 pages
Lab 5: Sandbox Setup and Configuration: Because Teaching Teaches Teachers To Teach
THUẬN NGUYỄN MINH
No ratings yet
Lab 4: YARA: Because Teaching Teaches Teachers To Teach
Document8 pages
Lab 4: YARA: Because Teaching Teaches Teachers To Teach
THUẬN NGUYỄN MINH
No ratings yet
Lab 01
Document11 pages
Lab 01
THUẬN NGUYỄN MINH
No ratings yet
II IIR18 IT DBMS (0) FG
Document5 pages
II IIR18 IT DBMS (0) FG
Manish Bhatia
No ratings yet
Database Health Check
Document6 pages
Database Health Check
Jennifer Norris
No ratings yet
Nitish Resume
Document1 page
Nitish Resume
rajputcreateryogi
No ratings yet
Project Report of Post Office Management System
Document20 pages
Project Report of Post Office Management System
Sumit Tembhare
75% (12)
A Survey On Trending Topics of Microservices
Document6 pages
A Survey On Trending Topics of Microservices
WARSE Journals
No ratings yet
Application Note: Replacing A NXP/Philips P80C552 Processor With A P83C552/xxx Processor
Document2 pages
Application Note: Replacing A NXP/Philips P80C552 Processor With A P83C552/xxx Processor
Pieter Hoeben
No ratings yet
Mobile IP
Document7 pages
Mobile IP
Varun
No ratings yet
Key Benefits and Applications of Edge Computing in a Less Than 40 Character Title
Document4 pages
Key Benefits and Applications of Edge Computing in a Less Than 40 Character Title
Marimuthu A
No ratings yet
Data Lake Tutorial Slides
Document126 pages
Data Lake Tutorial Slides
Fernando Montoya Cubas
No ratings yet
MosquitoCapital Thread Tivitiko
Document7 pages
MosquitoCapital Thread Tivitiko
Dom Mills
No ratings yet
How To Connect To Your Remote MongoDB Server - Ian London's Blog
Document8 pages
How To Connect To Your Remote MongoDB Server - Ian London's Blog
Yusto Malik Omondi
No ratings yet
Google Hacking Database (GHDB) - Google Dorks, OSINT, Recon2
Document1 page
Google Hacking Database (GHDB) - Google Dorks, OSINT, Recon2
Mounir2105
No ratings yet
Introduction To Salesforce OmniStudio - Apex Hours
Document15 pages
Introduction To Salesforce OmniStudio - Apex Hours
Daniel O. Freitas
No ratings yet
Gmail Delay Send Web - Documentation (v8)
Document7 pages
Gmail Delay Send Web - Documentation (v8)
saxon_orrik
No ratings yet
1st Assessment Exam in Specialization 2020 - 2021 With Answer Key
Document3 pages
1st Assessment Exam in Specialization 2020 - 2021 With Answer Key
Dhealine Jusayan
100% (1)
An Approach For Eliciting Software Requirements and Its Prioritization Using Analytic Hierarchy Process
Document6 pages
An Approach For Eliciting Software Requirements and Its Prioritization Using Analytic Hierarchy Process
javed501
No ratings yet
Xoriant CST: Topic Computer Network
Document28 pages
Xoriant CST: Topic Computer Network
manishaotari_9676770
No ratings yet
Peningkatan Laba Operasi Dengan Pengendalian Biaya Produksi: Sustainable Competitive Advantage-9 (Sca-9) Feb Unsoed
Document15 pages
Peningkatan Laba Operasi Dengan Pengendalian Biaya Produksi: Sustainable Competitive Advantage-9 (Sca-9) Feb Unsoed
gina anggi
No ratings yet
Trellix Datasheet DLP Prevent
Document3 pages
Trellix Datasheet DLP Prevent
Yuvashree A
No ratings yet
AIS Chapter 1 - PART 2
Document27 pages
AIS Chapter 1 - PART 2
natalie clyde mates
No ratings yet
Efiling Manual
Document120 pages
Efiling Manual
Keep Guessing
No ratings yet
Verri Puku Scribd
Document584 pages
Verri Puku Scribd
ajax248590
No ratings yet
Database Vault DBA Best Practices
Document22 pages
Database Vault DBA Best Practices
Rameem Rashed
100% (1)
How To Migrate From B1iSN 8.8 To 9.0
Document45 pages
How To Migrate From B1iSN 8.8 To 9.0
Andres Rj
No ratings yet
ICT (I.T.) (NTA 4) - Brochure
Document1 page
ICT (I.T.) (NTA 4) - Brochure
johhn
No ratings yet
1.2 Describe The Concept of Cache Memory
Document18 pages
1.2 Describe The Concept of Cache Memory
00.wonderer.00
No ratings yet
Avaya Aura Contact Center Troubleshooting
Document222 pages
Avaya Aura Contact Center Troubleshooting
Asnake Tegenaw
No ratings yet
Data Mining Assignment
Document11 pages
Data Mining Assignment
Sahil Thakur
No ratings yet
All About Output Post Processor (OPP) in Oracle Applications
Document4 pages
All About Output Post Processor (OPP) in Oracle Applications
f_isdn
No ratings yet
OpenText Business Center Capture For SAP Solutions 16.7.4 - Customization Guide English (CPBC160704-CGD-En-01)
Document232 pages
OpenText Business Center Capture For SAP Solutions 16.7.4 - Customization Guide English (CPBC160704-CGD-En-01)
Sandhya Aenugula
No ratings yet