Lead Image © raptorcaptor, 123RF.com

Lead Image © raptorcaptor, 123RF.com

Malware Analysis

Forensic Analysis with Redline and Volatility

Article from ADMIN 21/2014
By
We show you how to dig deep to find hidden and covert processes, clandestine communications, and signs of misconduct on your network.

In a previous article [1], I described how to obtain a memory image from a Windows computer that would allow forensic analysis. I briefly discussed using F-Response TACTICAL [2] to get the memory image, and then Volatility [3] and Mandiant Redline [4] for further investigation. In this paper, I dive more deeply into Redline and Volatility.

To begin, I review a raw memory dump of a known malware variant (see the "Malware Image" box) with Mandiant Redline. After firing up Redline, I chose By Analyzing a Saved Memory File under Analyze Data and browsed to the location of the memory image. Next, I edited my script to include Strings for both Process Listing and Driver Enumeration. Finally, I chose a destination to store the output for future analysis and to analyze memory dumps.

Malware Image

The malware image I am using in this article is a variant found by the Palo Alto PA-5000 series firewall [5] on a Windows box in our network, which was sent for further investigation to a sandbox that Palo Alto uses for such cases. Moments later, I received email telling me that malware was discovered by Palo Alto WildFire analysis [6].

WildFire identifies unknown malware, zero-day exploits, and advanced persistent threats by executing them directly in a scalable, cloud-based, virtual sandbox environment. The report, which goes into detail about what the malware has done, gave me a link to VirusTotal [7], used to score the executable for maliciousness, along with a

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Lead Image © lightwise, 123RF.com
    Acquiring a Memory Image
    Be ready before disaster strikes. In this article we describe some tools you should have on hand to obtain a memory image of an infected system.
    more »
  • Forensic Analysis on Linux

    In computer forensics, memory analysis is becoming increasingly important as a means for investigating security incidents. In this article, we provide an overview of the various memory dumping options on Linux and introduce the support in Linux for the Volatility Analysis Framework.

    more »
  • Lead Image © Bruce Rolff, 123RF.com
    Forensic main memory analysis with Volatility
    When you examine the memory of a computer after a break-in, take advantage of active support from the Volatility framework to analyze important memory structures and read the volatile traces of an attack.
    more »
  • Lead Image © Andrey KOTKO, 123RF.com
    Comparing Logon Script Alternatives
    We compare the performance of batch, VBScript, and PowerShell commands with four standard tasks.
    more »
comments powered by Disqus