Traditional malware detection and forensic investigation techniques typically focus on detecting malicious native executables on disk and performing disk forensics to uncover evidence of historical actions on a system.
In this paper, we will look at some of the memory resident techniques used by common malware families and how open-source memory analysis frameworks, such as Volatility, can be used to detect evidence of these techniques on compromised systems. Finally, we will look at how we have adopted similar ideas at Countercept, developing capabilities for performing targeted live memory analysis at scale. This enables us to detect unknown malware, making use of these techniques on isolated systems within large enterprise networks.
Download Memory Analysis – Advanced Threat Detection
Categories