hacktricks/forensics/basic-forensic-methodology/memory-dump-analysis
carlospolop 9e5102b4c0 social
2023-03-06 00:15:43 +01:00
..
README.md social 2023-03-06 00:15:43 +01:00

Memory dump analysis

HackTricks in 🐦 Twitter 🐦 - 🎙️ Twitch Wed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥

RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.

{% embed url="https://www.rootedcon.com/" %}

Start

Start searching for malware inside the pcap. Use the tools mentioned in Malware Analysis.

Volatility

The premiere open-source framework for memory dump analysis is Volatility. Volatility is a Python script for parsing memory dumps that were gathered with an external tool (or a VMware memory image gathered by pausing the VM). So, given the memory dump file and the relevant "profile" (the OS from which the dump was gathered), Volatility can start identifying the structures in the data: running processes, passwords, etc. It is also extensible using plugins for extracting various types of artifacts.
From: https://trailofbits.github.io/ctf/forensics/

Mini dump crash report

When the dump is small (just some KB, maybe a few MB) then it's probably a mini dump crash report and not a memory dump.

If you have Visual Studio installed, you can open this file and bind some basic information like process name, architecture, exception info and modules being executed:

You can also load the exception and see the decompiled instructions

Anyway, Visual Studio isn't the best tool to perform an analysis of the depth of the dump.

You should open it using IDA or Radare to inspection it in depth.

RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.

{% embed url="https://www.rootedcon.com/" %}

HackTricks in 🐦 Twitter 🐦 - 🎙️ Twitch Wed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥