I gave a talk for WiCyS about how I got into #dfir as well as some tips for people who are newly trying to break into this field you can still watch it on demand: https://www.brighttalk.com/webcast/17216/575705?utm_campaign=google-calendar&utm_source=brighttalk-portal&utm_medium=calendar

#memoryforensics #infosec #malware

We are excited to announce the return of @volexity Cyber Sessions! Our next #meetup will be May 10 @ 6:30PM. Come listen as @tlansec & @attrc share their talks on #threatintel, #dfir & #memoryforensics. Doors open at 6:30PM. There is limited seating so reserve your spot now! https://www.meetup.com/volexity-cyber-sessions/events/291852488/

The 2022 Volatility Plugin Contest results are in!

The Volatility #PluginContest First Place winner is:
Felix Guyard for the suite of plugins (Prefetch, Inodes , AnyDesk) & VolWeb UI

Read the full contest results: https://volatility-labs.blogspot.com/2023/02/the-2022-volatility-plugin-contest-results.html

Congratulations to all winners! And thank you to all participants!

#DFIR #memoryforensics

Surprising, but I am unable to find unstripped kernel debug images for Rocky Linux. Does RHEL not make unstripped debugging images available? That's a problem for Volatility3.

Not so much an issue for me right now because this is for a lab and I can just switch to Debian. But it doesn't bode well for memory forensics on modern RedHat OSes.

#Linux #Volatility #MemoryForensics #RedHat

Tune in NOW to hear from our own Marcus Guevara "Is Dead Memory Analysis Dead? Finding Infected Systems through Live Memory Analysis"

#CactusCon #CC11 #infosec #DFIR #MemoryForensics

A brief walk back in time on the progression of #MemoryForensics and capture by @msuiche.

I personally still love a full memory dump, but that's getting so much harder as the size of RAM gets massive.

#DFIR #IncidentResponse

https://www.magnetforensics.com/blog/full-memory-crash-dumps-vs-raw-dumps-which-is-best-for-memory-analysis-for-incident-response/

The first anchored narrative of 2023 has just been released! This time it is quite an explosive one of an in-depth malware forensic follow-up on the famous Bhima Koregaon case, where a nation-state threat actor named #ModifiedElephant planted evidence on the computers of several activists in India and; as a result, have been put in jail. In this anchored narrative, the latest report V from Arsenal Consulting will be covered as well as their #MemoryForensics techniques they applied to reconstruct the uploading of incriminating documents to the computer of an 84-year-old Jesuit Priest, Father Stan Swamy. I was interviewed to review that case by award-winning journalist Niha Masih from The Washington Post. From her, I received court documents detailing the forensics of Mr. Rona Wilson. In those documents, I found an unreported and unidentified piece of malware by the Regional Forensic Science Laboratory in Pune dating back to 2017. This is a horrifying case of poor digital forensics performed by the government and a red flag for our forensic community.

In short, a must-read!

https://anchorednarratives.substack.com/p/the-trojan-solved-the-bhima-koregaon

#DFIR #MemoryForensics #APT #Malware #investigations #Humanrights #innocenceproject #bhimakoregaon @hegel @SentinelLabs @nihamasih @agreenberg @citizenlab @washingtonpost

Somebody just uploaded a decent video explaining the differences between simple DLL injection (loading injected code from disk, easily detected by Sysmon/EDR) versus reflective injection (injecting code directly from memory, slightly stealthier) into a victim process.

Either of these, easily detected by tools like Volatility's malfind plugin, or my new favorite, MemProcFS' findevil by @UlfFrisk

https://www.youtube.com/watch?v=IX0qUTbXNog

#DFIR #MemoryForensics #ThreatHunting

🦖Day 86 of the
@velocidex
#velociraptor #ArtifactsOfAutumn series

Artifact: Windows.Memory.Acquisition

Link: https://docs.velociraptor.app/artifact_references/pages/windows.memory.acquisition

----

This artifact leverages Winpmem to acquire a full memory image of the endpoint.

While it is ideals to process and filter data as quickly as possible on the endpoint, in certain instances it may still be beneficial or necessary to obtain a copy of the endpoint's physical memory.

----

This artifact could also be used in conjunction with the offline collector to obtain a memory image with a triage binary as opposed to requiring a client to be connected to the Velociraptor server.

The image could then be processed with your favorite memory analysis framework.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#MemoryForensics

If you are in #DFIR and do spend time on #memoryforensics, its my suggestion to use multiple existing tools at the same time. Don't depend on only 1 tool.

I continually find myself using Volatility 2 & 3 on the same image as and when required and sometimes MemProcFS too.

Also emphasize more on learning the concept about how memory is used by OS, how processes use memory etc.. instead of blindly relying on the tool.

The idea here is be strong on the fundamentals.

Spend as much time as possible on experimenting. Build VMs, collect & analyze memory from different OS.

That way you will appreciate the features of the framework you use and also *most importantly* learns its limitations.

Also if anyone is familiar with python, spend some time reading the code in Vol2 & Vol3 github repos. You might get great insight into how the output you see is extracted. That way you get exposed to different data structures which the OS uses to maintain critical data

RT @_abhiramkumar@twitter.com

If you are in #DFIR and do spend time on #memoryforensics, its my suggestion to use multiple existing tools at the same time. Don't depend on only 1 tool.

I continually find myself using Volatility 2 & 3 on the same image as and when required and sometimes MemProcFS too.

1/4

🐦🔗: https://twitter.com/_abhiramkumar/status/1602353566236057600

Day 11 - Memory Forensics !!
Super excited for this one.

#AdventOfCyber2022 #adventofcyber #tryhackme #infosec #cyber #holidayhackchallenges #memoryforensics

https://tryhackme.com/christmas

As if MemProcFS by @UlfFrisk wasn't already a game changer, I just discovered MemProcFS-Analyzer which wraps a TON of automated analysis around a mounted memory image! :mind_blown:​

#DFIR #MemoryForensics

RT @Evild3ad79@twitter.com

Just released MemProcFS-Analyzer v0.7 with a lot of nice new features: User Interface, Pagefile Support, Zircolite vs. EVTX, Properties View, and much more! https://github.com/evild3ad/MemProcFS-Analyzer @waggabat@twitter.com #MemProcFS #MemoryForensics #DFIR

🐦🔗: https://twitter.com/Evild3ad79/status/1594581638348001281

RT @volatility@twitter.com

Don't miss your chance to submit an entry to the 10th annual @volatility@twitter.com #PluginContest! Gain visibility for your work and win cash prizes! The submission deadline is 31 December 2022.

Read the contest announcement here: https://volatility-labs.blogspot.com/2022/07/the-10th-annual-volatility-plugin-contest.html

#dfir #memoryforensics

🐦🔗: https://twitter.com/volatility/status/1592953506616422400

Spyware Hunters Are Expanding Their Toolset

https://www.wired.com/story/spyware-hunting-tools-mac-pc-black-hat/

#Security/CyberattacksandHacks #vulnerabilities #MemoryForensics #cybersecurity #Security #security #blackhat #malware