Hyrje
Memory forensics examines the contents of a system's RAM to find artifacts that never touch disk.
Teoria
Fileless malware, running processes, network connections, loaded DLLs, open handles, credentials cached in memory, and encryption keys all live in RAM and are typically gone after a reboot. Capturing a full RAM image while the system is still running — via WinPMem, DumpIt or LiME on Linux — gives the analyst a frozen snapshot of everything the OS knows about itself at that instant.
The standard analysis framework is Volatility (now Volatility 3), an open-source Python tool maintained by the Volatility Foundation. Volatility parses the memory image using plugins: pslist and psscan to list processes, netscan for connections, cmdline for command lines, hashdump for local password hashes, malfind to find injected code regions, and dozens more. Each plugin walks the OS-specific data structures inside the memory image.
Because kernel structures change between Windows and Linux versions, Volatility relies on "symbol tables" that describe each supported OS. Modern Volatility 3 uses a rich symbol format that can be automatically generated for a specific kernel build. Memory forensics has a steep learning curve but is unmatched for detecting stealthy attackers who go out of their way to leave no disk footprint.
Mjetet
Mjete:
- Volatility 3 — analizë RAM cross-platform.
- Rekall (inactive por ende i përdorur).
winpmem,dumpit,LiME(Linux) — acquisition.
Praktika
Kapje e RAM-it në Linux:
insmod lime.ko "path=/evidence/mem.lime format=lime"Analizë me Volatility 3:
vol -f mem.lime linux.pslist
vol -f mem.lime linux.bash
vol -f mem.lime linux.malfind Ushtrime
- Kap RAM-in e një VM Linux dhe gjej procesin me komandën më të fundit në bash history.
- Gjej një reverse shell të injektuar (preferohet lab PoC).
Burime
- Volatility Foundation docs.
- SANS FOR526 — Memory Forensics.
Vlerësimet dhe komentet
Kyçu për të lënë një vlerësim.
Ende pa komente. Bëhu i pari!
Diskutime
Ende pa diskutime. Hap një temë të re