Originally posted by DEF CON / @defcon@twitter.com: https://twitter.com/gleeda/status/1663691896579923969#m

RT by @defcon: I am happy to announce that I will be giving a training at @defcon this summer on Windows Memory Forensics!

#dfir #memoryforensics

"Some experiments with Process Hollowing" by Frank Block

Process Hollowing is a technique used by various malware families (such as FormBook, TrickBot and Agent Tesla) to hide their malicious code within a benign appearing process. The typical workflow for setting up such a hollowed process is as follows: Create a new process (victim) using a benign executable, in suspended state. Unmap the executabl…

#Breaking, #incidentanalysis, #injection, #malware, #memoryforensics

https://insinuator.net/2022/09/some-experiments-with-process-hollowing/

RT @volatility@twitter.com

The 10th annual @volatility@twitter.com #PluginContest is officially OPEN! Gain visibility for your work and have a chance to win cash prizes! Submission deadline: 31 December 2022. Read the contest announcement here: https://volatility-labs.blogspot.com/2022/07/the-10th-annual-volatility-plugin-contest.html

#dfir #memoryforensics

🐦🔗: https://twitter.com/volatility/status/1544413047141318659

"Release of PTE Analysis plugins for Volatility 3" by Frank Block

I’m happy to announce the release of several plugins for Volatility 3 that allow you to dig deeper into the memory analysis. One of those plugins is PteMalfind, which is essentially an improved version of malfind. Another one is PteResolve which, similarly to the WinDBG command !pte, allows you to inspect Page Table Entry (PTE) […]…

#Building, #forensics, #malware, #memoryforensics, #Windows

https://insinuator.net/2021/12/release-of-pte-analysis-plugins-for-volatility-3/