Memory forensics allows first responders to extract relevant information from RAM. Interesting information, like the URL of an attacker’s command and control server, is often obfuscated while the program is stored on disk. The information is decoded while the program is running. A thorough analysis of the computers’ RAM will not reveal an IOC like command servers URL, but also other artefacts of an attackers’ activity. This presentation shows how Volatility can be used for an analysis. Results include but are not limited to artefacts of DLL injection, network connections, API hooks.

About the speaker

Eddi Blenkers

Security Analyst at BLS

Eddi Blenkers is a security practitioner with over 20 years of experience. He uses network traces, memory dumps, disk images and log files to hunt for malware. He currently works for the Swiss rail company BLS as a Security Analyst.
Read more …