book

Malware Forensics Field Guide for Windows Systems

by Cameron H. Malin, Eoghan Casey, James M. Aquilina

May 2012

Intermediate to advanced

560 pages

12h 55m

English

Syngress

Read now

Unlock full access

Solutions in this chapter:Volatile Data Collection and Analysis ToolsNon-Volatile Data Collection and Analysis ToolsSelected ReadingsJurisprudence/RFCS/Technical Specifications

Solutions in this chapter:Selected Readings
Solutions in this chapter:Selected Readings
Solutions in this chapter:
Solutions in this chapter:Selected Readings
Solutions in this chapter:IntroductionGoalsGuidelines for Examining a Malicious File SpecimenEstablishing the Environment BaselinePre-Execution Preparation: System and Network MonitoringExecution Artifact Capture: Digital Impression and Trace EvidenceExecuting the Malicious Code SpecimenExecution Trajectory Analysis: Observing Network, Process, Api, File System, and Registry ActivityAutomated Malware Analysis FrameworksOnline Malware Analysis SandboxesDefeating ObfuscationEmbedded Artifact Extraction RevisitedInteracting with and Manipulating the Malware Specimen: Exploring and Verifying Functionality and PurposeEvent Reconstruction and Artifact Review: Post-Run Data AnalysisDigital Virology: Advanced Profiling Through Malware Taxonomy and PhylogenyConclusionPitfalls to AvoidSelected Readings

Content preview from Malware Forensics Field Guide for Windows Systems

Chapter 2 Memory Forensics

Analyzing Physical and Process Memory Dumps for Malware Artifacts

Solutions in this chapter:

• Memory Forensics Overview

• Old School Memory Analysis

• How Windows Memory Forensic Tools Work

• Windows Memory Forensic Tools

• Dumping Windows Process Memory

• Dissecting Windows Process Memory

Introduction

The importance of memory forensics in malware investigations cannot be overstated. A complete capture of memory on a compromised computer generally bypasses the methods that malware uses to trick operating systems, providing digital investigators with a more comprehensive view of the malware. In some cases, malware leaves little trace elsewhere on the compromised system and the only clear indications of compromise ...