Analysis Keypoints

Analysis steps for memory image

  • Identify rogue processes

    • Analyse processes

      • Legitimate process?

      • Name spelled right?

      • Fits with system context?

    • Full path

      • Is the process executable in the usual place?

      • Is it running from user or temp directories?

    • Parent process

      • Is it as expected?

    • Command line

      • Does it have the right switches?

    • Start time

      • Was it started at boot or something else?

      • Did the process start close the time of a known incident?

    • Security ID

      • Does the SID make sense? Would a system process run with a user accounts’ SID?

  • Analysing process objects

    • DLLs

    • Handles

      • Files and directories

        • Look at occurrance of use. Malware files should, historically, be the least accessed files on the system

      • Registry

      • Events

      • Threads

      • Sockets

  • Network artifacts

    • Suspicious ports

      • out-of-the-ordinary ports

      • listening ports (backdoors)

    • Suspicious connections

      • Anything connecting out

      • Known bad-IPs

      • Creation time matching an incident

    • Suspicious processes

      • Should this process have networking capabilities?

  • Detecting code injection

    • Look for DLL injection and process hollowing

  • Rootkit detection

    • Not a big thing anymore, most AV does a good job at detecting this

    • Hides in

      • System service descriptor tables

      • Interrupt descriptor tables

      • Function import address tables

      • I/O request packets

  • Acquiring processes and drivers

    • Submit for reverse engineering or AV analysis

    • Review strings

      • add to bad-words list

PreviousVolatility PluginNextRegistry

Last updated