Bangeter 02-mf_intro_v41.pdf
Bangeter 02-mf_intro_v41.pdf
Bangeter 02-mf_intro_v41.pdf
Kartei Details
| Karten | 40 |
|---|---|
| Sprache | English |
| Kategorie | Informatik |
| Stufe | Universität |
| Erstellt / Aktualisiert | 18.06.2019 / 01.07.2021 |
| Lizenzierung | Keine Angabe |
| Weblink |
https://card2brain.ch/box/20190618_bangeter_02mfintrov41_pdf
|
| Einbinden |
<iframe src="https://card2brain.ch/box/20190618_bangeter_02mfintrov41_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
What can be reconstructed from a systm's state form memroy. Name some examples?
- Processes
- DLLs
- Memory map
- Registry
- Network
What are some advanteges of using memory based analysis?
- Defeat most root kit techniques
- Defeats file less, memory only malware
- Practicability
- Integrates naturally with the trend to virtualize infrastructure
What is meant by the term live forensics / analysis
Live forensics analysis search for anomalies on the potential victim machine itself
This is typically done sudin system administration tools to view process, network connections, registry and memory layout.
What is a major disadventage of live forensic?
Malware often contain anti-live forensic features, so analysis becomes unreliable / impossible.
Why do Rootkits defeat live forensics and what artifacts does it hide?
Rootkits are malware components that activly hide some malware traces / artifacts from someone working on the system, by modifying the processes and system.
Artifacts to hide:
- Files on disk
- Presence on live system (processes, code, registry keys, etc...)
- Network communication
- Suppress processes network connections, registry entries, etc...
- Hide code in non-malicous processes, corners of the system, etc...
What is offline forensics, how does it differ from live forensics?
In offline forensics a memory image or disk image of the infected host is created.
The image is then analyzed on a different (not infected) machine.
What are the goals of memory forensics?
- Detect intrusions on victim machine, especially traces left by malware and related attack tools and techniques.
- Understand / analyze malware behavior at leas partially
- Identify mlware
- Triage
- Extract artefacts for further analysis (e.g. reverse engineering)
What can be found in a memory image?
