Sempersol Consultancy (P) Ltd. Memory Forensics...
Transcript of Sempersol Consultancy (P) Ltd. Memory Forensics...
![Page 1: Sempersol Consultancy (P) Ltd. Memory Forensics …blog.synsysit.com/wp-content/uploads/2016/03/syn_volatilty.pdfSempersol Consultancy (P) Ltd. Memory Forensics Poster Find the KDBG](https://reader036.fdocuments.in/reader036/viewer/2022062908/5ad2e5637f8b9a0f198cef07/html5/thumbnails/1.jpg)
Sempersol Consultancy (P) Ltd. Memory Forensics Poster
Find the KDBG structure
and get the profile infor-
mation [imageinfo]
Identify rouge process running.
[pslist]
Identify hidden processes
[psxview]
Identify network activity of
suspicious process [netscan |
vista or above, Connections,
Sockets, Connscan, Sockscan |
for Windows XP]
Check loaded Dlls[dlllist]
Check for injections
[malfind]
![Page 2: Sempersol Consultancy (P) Ltd. Memory Forensics …blog.synsysit.com/wp-content/uploads/2016/03/syn_volatilty.pdfSempersol Consultancy (P) Ltd. Memory Forensics Poster Find the KDBG](https://reader036.fdocuments.in/reader036/viewer/2022062908/5ad2e5637f8b9a0f198cef07/html5/thumbnails/2.jpg)
Sempersol Consultancy (P) Ltd. Memory Forensics Poster
Identify hidden modules
[ldrmodules]
Find Rootkits activities
[ssdt]
Find Process hollowing
[vadinfo]
Find suspicious driver’s
callbacks [callbacks]
Explore indepth manually
with volshell [volshell]
Dump the suspicious sam-
ple [procdump, moddump,
dlldump, vaddump]
![Page 3: Sempersol Consultancy (P) Ltd. Memory Forensics …blog.synsysit.com/wp-content/uploads/2016/03/syn_volatilty.pdfSempersol Consultancy (P) Ltd. Memory Forensics Poster Find the KDBG](https://reader036.fdocuments.in/reader036/viewer/2022062908/5ad2e5637f8b9a0f198cef07/html5/thumbnails/3.jpg)
Sempersol Consultancy (P) Ltd. Memory Forensics Poster
Load winpmem driver with the option “-L”
Use rekal with the file option \\.\pmem to port it to live memory.
Use the plugins directly by typing in the plugin name
Use info to find out the de-tailed list of plugins available