Jamie Levy πŸ¦‰ · @gleeda
849 followers · 216 posts · Server infosec.exchange

I gave a talk for WiCyS about how I got into as well as some tips for people who are newly trying to break into this field you can still watch it on demand: brighttalk.com/webcast/17216/5

#dfir #MemoryForensics #infosec #malware

Last updated 2 years ago

volexity · @volexity
283 followers · 17 posts · Server infosec.exchange

We are excited to announce the return of @volexity Cyber Sessions! Our next will be May 10 @ 6:30PM. Come listen as @tlansec & @attrc share their talks on , & . Doors open at 6:30PM. There is limited seating so reserve your spot now! meetup.com/volexity-cyber-sess

#meetup #threatintel #dfir #MemoryForensics

Last updated 2 years ago

volatility · @volatility
68 followers · 2 posts · Server infosec.exchange

The 2022 Volatility Plugin Contest results are in!

The Volatility First Place winner is:
Felix Guyard for the suite of plugins (Prefetch, Inodes , AnyDesk) & VolWeb UI

Read the full contest results: volatility-labs.blogspot.com/2

Congratulations to all winners! And thank you to all participants!

#plugincontest #dfir #MemoryForensics

Last updated 2 years ago

Hal Pomeranz · @hal_pomeranz
1802 followers · 1398 posts · Server infosec.exchange

Surprising, but I am unable to find unstripped kernel debug images for Rocky Linux. Does RHEL not make unstripped debugging images available? That's a problem for Volatility3.

Not so much an issue for me right now because this is for a lab and I can just switch to Debian. But it doesn't bode well for memory forensics on modern RedHat OSes.

#linux #volatility #MemoryForensics #redhat

Last updated 2 years ago

Recon InfoSec · @recon_infosec
568 followers · 44 posts · Server infosec.exchange
Josh Lemon · @joshlemon
123 followers · 25 posts · Server infosec.exchange

A brief walk back in time on the progression of and capture by @msuiche.

I personally still love a full memory dump, but that's getting so much harder as the size of RAM gets massive.

magnetforensics.com/blog/full-

#MemoryForensics #dfir #incidentresponse

Last updated 2 years ago

Robert Jan Mora · @robertjanm
9 followers · 9 posts · Server infosec.exchange

The first anchored narrative of 2023 has just been released! This time it is quite an explosive one of an in-depth malware forensic follow-up on the famous Bhima Koregaon case, where a nation-state threat actor namedΒ  planted evidence on the computers of several activists in India and; as a result, have been put in jail. In this anchored narrative, the latest report V from Arsenal Consulting will be covered as well as their techniques they applied to reconstruct the uploading of incriminating documents to the computer of an 84-year-old Jesuit Priest, Father Stan Swamy. I was interviewed to review that case by award-winning journalist Niha Masih from The Washington Post. From her, I received court documents detailing the forensics of Mr. Rona Wilson. In those documents, I found an unreported and unidentified piece of malware by the Regional Forensic Science Laboratory in Pune dating back to 2017. This is a horrifying case of poor digital forensics performed by the government and a red flag for our forensic community.

In short, a must-read!

anchorednarratives.substack.co

@hegel @SentinelLabs @nihamasih @agreenberg @citizenlab @washingtonpost

#ModifiedElephant #MemoryForensics #dfir #apt #malware #investigations #humanrights #InnocenceProject #bhimakoregaon

Last updated 2 years ago

Eric Capuano · @eric_capuano
2268 followers · 403 posts · Server infosec.exchange

Somebody just uploaded a decent video explaining the differences between simple DLL injection (loading injected code from disk, easily detected by Sysmon/EDR) versus reflective injection (injecting code directly from memory, slightly stealthier) into a victim process.

Either of these, easily detected by tools like Volatility's malfind plugin, or my new favorite, MemProcFS' findevil by @UlfFrisk

youtube.com/watch?v=IX0qUTbXNo

#dfir #MemoryForensics #threathunting

Last updated 2 years ago

Wes Lambert · @weslambert
372 followers · 48 posts · Server infosec.exchange

πŸ¦–Day 86 of the
@velocidex
series

Artifact: Windows.Memory.Acquisition

Link: docs.velociraptor.app/artifact

----

This artifact leverages Winpmem to acquire a full memory image of the endpoint.

While it is ideals to process and filter data as quickly as possible on the endpoint, in certain instances it may still be beneficial or necessary to obtain a copy of the endpoint's physical memory.

----

This artifact could also be used in conjunction with the offline collector to obtain a memory image with a triage binary as opposed to requiring a client to be connected to the Velociraptor server.

The image could then be processed with your favorite memory analysis framework.

----

That's it for now! Stay tuned to learn about more artifacts! πŸ¦–




#velociraptor #artifactsofautumn #dfir #forensics #infosec #MemoryForensics

Last updated 2 years ago

Abhiram Kumar · @abhiramkumar
3 followers · 2 posts · Server infosec.exchange

If you are in and do spend time on , its my suggestion to use multiple existing tools at the same time. Don't depend on only 1 tool.

I continually find myself using Volatility 2 & 3 on the same image as and when required and sometimes MemProcFS too.

Also emphasize more on learning the concept about how memory is used by OS, how processes use memory etc.. instead of blindly relying on the tool.

The idea here is be strong on the fundamentals.

Spend as much time as possible on experimenting. Build VMs, collect & analyze memory from different OS.

That way you will appreciate the features of the framework you use and also *most importantly* learns its limitations.

Also if anyone is familiar with python, spend some time reading the code in Vol2 & Vol3 github repos. You might get great insight into how the output you see is extracted. That way you get exposed to different data structures which the OS uses to maintain critical data

#dfir #MemoryForensics

Last updated 2 years ago

Antonio Sanz · @antoniosanzalc
248 followers · 200 posts · Server infosec.exchange

RT @_abhiramkumar@twitter.com

If you are in and do spend time on , its my suggestion to use multiple existing tools at the same time. Don't depend on only 1 tool.

I continually find myself using Volatility 2 & 3 on the same image as and when required and sometimes MemProcFS too.

1/4

πŸ¦πŸ”—: twitter.com/_abhiramkumar/stat

#dfir #MemoryForensics

Last updated 2 years ago

Eric Capuano · @eric_capuano
1651 followers · 189 posts · Server infosec.exchange

As if MemProcFS by @UlfFrisk wasn't already a game changer, I just discovered MemProcFS-Analyzer which wraps a TON of automated analysis around a mounted memory image! :mind_blown:​

#dfir #MemoryForensics

Last updated 2 years ago

Antonio Sanz · @antoniosanzalc
218 followers · 112 posts · Server infosec.exchange

RT @Evild3ad79@twitter.com

Just released MemProcFS-Analyzer v0.7 with a lot of nice new features: User Interface, Pagefile Support, Zircolite vs. EVTX, Properties View, and much more! github.com/evild3ad/MemProcFS- @waggabat@twitter.com

πŸ¦πŸ”—: twitter.com/Evild3ad79/status/

#memprocfs #MemoryForensics #dfir

Last updated 2 years ago

buherator · @buherator
500 followers · 314 posts · Server infosec.exchange

RT @volatility@twitter.com

Don't miss your chance to submit an entry to the 10th annual @volatility@twitter.com ! Gain visibility for your work and win cash prizes! The submission deadline is 31 December 2022.

Read the contest announcement here: volatility-labs.blogspot.com/2

πŸ¦πŸ”—: twitter.com/volatility/status/

#plugincontest #dfir #MemoryForensics

Last updated 2 years ago

Tech News Worldwide · @TechNews
11284 followers · 97990 posts · Server aspiechattr.me