7. Memory Analysis

Question 1

Why Analyze Memory?

Answer 1

1. Malware has to execute.
2. Everything that execute, runs through RAM
3. Therefore, Malware has to run through RAM

Question 2

How to preserve RAM.

Answer 2

Infected Machine should be left running.

Question 3

What it Fileless malware

Answer 3

Does not touch the disk.

Question 4

Encrypted Systems

Answer 4

1. CPU runs in clear text.

2. Decryption first before running.

Question 5

Dump Format: RAW

Answer 5

Live memory acquisition tools

Question 6

Dump Format: Crash Dump

Answer 6

Generated during a crash

Question 7

Dump Format: hiberfil.sys

Answer 7

Windows (laptops). Created during hibernation mode

Question 8

Dump Format: EWF

Answer 8

Expert Witness Disk Image Format (EnCase)

Standard for analyzing memory Dumps

Question 9

Dump Format: AFF4

Answer 9

WinPMEM.Memory Dump

Question 10

Analysis Frameworks

Answer 10

1. Rekall

2. Volatility

Question 11

Volatility

Answer 11

Best known. Windows, Linux, Mac.

Question 12

Rekall

Answer 12

Develop by Google

Question 13

Six Investigation Steps

Answer 13

1. Processes
2. DLL and Handles
3. Network
4. Code Injection
5. RootKits
6. Dump

Question 14

What is KDbg?

Answer 14

KDbg is a data structure for RAW memory image.

Question 15

What is Memory Profile

Answer 15

Different Windows version have different profiles.

Question 16

VM Metadata

Answer 16

Memory Images from VM contain Metadata

Question 17

Why image conversion?

Answer 17

Volatility: needs RAW memory image.