Malware memory analysis for non-specialists – Investigating a publicly available memory image for the Zeus Trojan horse

PDF

Authors
  1. Carbone, R.
Corporate Authors
Defence R&D Canada - Valcartier, Valcartier QUE (CAN)
Abstract
This technical memorandum examines how an investigator can analyse a Windows-based computer memory dump infected with malware. The author investigates how to carry out such an analysis using Volatility and other investigative tools, including data carving utilities and anti-virus scanners. Volatility is a popular and evolving open source-based memory analysis framework. The author has proposed a memory-specific methodology based on a simple investigative process to help fellow novice memory analysts. Once evidence or indicators of malware have been found, the author examines how Volatility can be used to undertake a given memory investigation. This technical memorandum is the first of a series of reports that will be written concerning Windows malware-based memory analysis using Volatility and various malware scanners. This specific work examines a memory image infected with the Zeus Trojan horse.

Il y a un résumé en français ici.

Report Number
DRDC-VALCARTIER-TM-2013-018 — Technical Memorandum
Date of publication
01 Apr 2013
Number of Pages
82
DSTKIM No
CA040030
CANDIS No
801024
Format(s):
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: