This page contains some information and links for In-Memory Malware Analysis course.
In case of any questions, don't hesitate to contact me at vaclav.lorenc-at-gmail.com
.
In-Memory Analysis (text) | A brief introduction to reverse engineering and memory forensics (English). |
In-Memory Analysis (slides) | Handouts for this course, temporarily available in Czech only. |
In-Memory Analysis (tools) | A bootstrap folder structure with Volatility Framework and other tools. Unzip the file (if you know how, edit your %PATH% variable to contain the \bin folder). |
Most of the memory images here can be found and downloaded from Volatility Framework page. Download the file into your \images
folder (it's in the unzipped folder structure from the previous step).
Infected WinXP | A very basic Windows XP system, easy to analyze. |
Zeus (older version) | Windows XP infected with Zeus. |
Zeus (newer version) | Windows XP infected with never version of Zeus. |
SpyEye (keylogger) | A host infected with SpyEye. |
DarkComet (keylogger) | A memory image of a host infected with DarkComet. Due to its size, this memory image si zipped. |
Bob! Detailed Forensics | Memory image to test your forensic skills (foremost can help you, be careful with dumped files). |
Volatily Framework | Powerful open source tool for memory analysis with command-line interface. Python powered. |
Rekall Memory Forensic Framework | Completely open collection of tools for the collection and extraction of digital artifacts from memory. Python powered. |
Mandiant Redline | Free (not open source) memory forensic tool, with nice GUI and decent forensic capabilities. For Windows only, requires latest .NET Framework. |
Reverse Engineering for Beginners | Excellent and free material for everyone who wants to dive into reverse engineering. Incredible stuff! |
SANS DFIR Memory Forensics Poster | A poster with overview of memory forensics tools, workflows, commands and internals. |
Your homework is as easy as forensic analysis. Ok, way easier :) Analyse the image below, write a report and summarize your findings in such a way that I can possibly reproduce the process of your analysis. Use all the tools we used in the class, but only if you can work in a safe environment (VMWare, VirtualBox or Unix-based OS). If not, you don't have to dump any files from the memory image, especially if you don't trust your AV. Stay safe and keep your computer clean. If you want to perform more detailed analysis, you are cordially invited.
I also promised to provide you with a sample report.
Your Homework | Memory image to test your skills (big warning here -- be careful with dumped files!). |