Malware memory analysis for non-specialists – Investigating publicly available memory image for the Stuxnet worm

PDF

Authors
  1. Carbone, R.
Corporate Authors
Defence Research and Development Canada, Valcartier Research Centre, Quebec QC (CAN)
Abstract
This report examines how an investigator can analyse an infected Windows® memory dump. The author investigates how to carry out such an analysis using Volatility and other investigative tools, including data carving utilities and anti-virus scanners. Volatility is a popular and evolving open source-based memory analysis framework upon which the author has proposed a memory-specific methodology for aiding fellow novice memory analysts. The author examines how Volatility can be used to find evidence and indicators of infection. This report is the fourth in this series concerning Windows malware-based memory analysis. This current work examines a memory image infected with the Stuxnet worm.
Keywords
antivirus;anti-virus;computer forensics;digital forensics;digital forensic investigations;forensics;infection;malware;memory analysis;memory image;rootkit;scanners;stuxnet;virus scanner;volatility;Windows;worm
Report Number
DRDC-RDDC-2013-R1 — Scientific Report
Date of publication
01 Nov 2013
Number of Pages
122
DSTKIM No
CA038540
CANDIS No
538612
Format(s):
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: