Please read chapter 2 of WFA, pp. 63-86, chapter 3 of WFA, pp. 89-124, and chapter 3 of MF, pp. 121-192 of MF.

Also, read the two Kornblum papers referenced on the class home page, Identifying almost identical files using context triggered piecewise hashing and Using Every Part of the Buffalo in Windows Memory Analysis

Memory analysis

Memory analysis

Why look into memory?

As WFA summarizes,

Why look into memory?

MF on page 124 gives three primary reasons for memory analysis:
  1. Metadata (such as network connections) that malware or other malefactors might have associated with a process.
  2. Executable code, such as the above-mentioned decrypted executables.
  3. Real data, such as passwords, encryption keys, and usernames.

I would strongly add to this list the previously mentioned history component: trying to learn what a malefactor had done and how it was done.

MFFG in chapter 2 brings up:

  1. Filesystem data (particularly MFT entries)
  2. Hidden and obfuscated process data
  3. Registry information

How do we usefully look into a memory dump?

Processes in the Windows world

Parsing processes



Another tool that MF brings up on pp. 122-124 and pp. 132-144 is volatility, which attempts to analyze memory. One nonobvious and interesting facet to such tools is that they are sometimes able to find old data from processes that have already terminated.

Hibernation is almost as useful as virtualization

Memory layout

MF's take on memory analysis methodology

MF proposes on pp. 124-125 a simple methodology for memory analysis:

Finding an executable, even if it's not in non-volatile storage