SANS Digital Forensics and Incident Response Blog: Author - Manuel Humberto Santander Peláez

Memory forensics: A practical example

We have an incident with a local company computer. It has all the antimalware protections, Host IPS and Windows GPO that prevent people from executing nasty things, but still we notice something suspicious on the network and it seems to be used to exfiltrate information. What should we do to get clues about what is happening?

Memory forensics can help us here. We need to get a memory image first. This will be done using Mantech MDD tool (http://www.mantech.com/msma/mdd.asp):

After we have the image, we need to use a tool that is able to get the artifacts inside it so we get evidence for our case. We will use the Volatility framework (https://www.volatilesystems.com/default/volatility). It's an open source tool made in Python that is able to dig into Windows XP memory images and gather information like the sockets created, the process list, the DLL list loaded by each process, the active connections

... Continue reading Memory forensics: A practical example