Malware memory analysis for non-specialists – Investigating publicly available memory image for the Tigger Trojan horse

PDF

Authors
  1. Carbone, R.
Corporate Authors
Defence Research and Development Canada, Valcartier Research Centre, Quebec QC (CAN)
Abstract
This report examines how a computer forensic investigator can effectively analyse an infected Windows memory dump. The author investigates how to perform such an analysis using Volatility and other investigative tools, including data carving utilities and anti-virus scanners. Volatility is a popular and evolving open source-based memory analysis framework upon which the author’s previously proposed memory-specific methodology could be of aid to fellow novice memory analysts. The author examines how Volatility can be used to find evidence and indicators of infection. This report is the fifth in this series concerning Windows malware-based memory analysis. It examines a memory image infected with the Tigger/Syzor Trojan horse.

Il y a un résumé en français ici.

Keywords
antivirus;anti-virus;computer forensics;digital forensics;digital forensic investigations;forensics;infection;malware;memory analysis;memory image;rootkit;scanners;Syzor;Tigger;trojan horse;virus scanner;volatility;Windows
Report Number
DRDC-RDDC-2014-R28 — Scientific Report
Date of publication
01 Jun 2014
Number of Pages
142
DSTKIM No
CA039306
CANDIS No
800199
Format(s):
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: