Performing Memory Analysis
Endpoint security is part of the threat domain of an organization. It forms a foothold for attackers by bypassing perimeter defense. It is usually the medium of attack on a network by serving as a hideout for backdoor. Majority of malware attack the memory and few attack the disk and this has brought a significant shift to memory analysis.
For example An employee’s laptop got compromised at their home (may be his/her children entered malicious site) or at a local coffee shop and the adversary found their right way into juicy middle of our enterprise
Memory analysis is widely used by threat hunters and forensic analyst to perform malware analysis. It involves the analysis of dumped memory image of a victim/target infected malicious system. Malware analysis is the process of determining the functionalities, origin and potential impact of a given malware sample. Memory analysis is a must have skill for any investigative analyst be it intelligence or forensic. Memory analysis help investigative analyst to understand different processes and services running on a victim machine, it gives better understanding of the current events on the system as at the time it was dumped either malicious or not malicious.
In order to perform memory analysis, imaging (bit — by — bit) of the memory must be done. This can be done using different tools such as FTK, Autopsy and DumpIT. After imaging, analysis follows with the use of different such as volatility and redline. In order to effectively analyze the memory, the following knowledge/skill is worthy
•Identify core operating system processes
•Know their legitimate execution path
•Understand parent — child processes
- Detect anomaly such as
- Wrong parent — child processes
- Check Mis-speling
- Wrong extension
- Wrong execution path
Basic Processes in Windows
Best tools for analysis