Volatility is one of the premier tools used for analysis of memory images such as system RAM. In this module we present a brief introduction to the concept of Memory Analysis and to Volatility. Additionally, a large component of the module walks through a sample image infected with malware so that the reader can better understand the capabilities of the tool. Much more can be done with the tool, and links are provided to sources that the reader can use to better understand how to use Volatility to analyze memory images.

By: Moshe Caplan

For this module, we challenge the reader to do a complete analysis of the zeus.vmem memory image. In the module all we determined was that the machine had connected to another machine in a suspicious location. However, further analysis with Volatility could locate the malicious code on the system as well as locating other indicators identifying that this machine was infected with Zeus.

The zeus.vmem files can be found here: https://code.google.com/p/volatility/wiki/SampleMemoryImages

For a walkthrough / reference see: http://malwarereversing.wordpress.com/2011/09/23/zeus-analysis-in-volatility-2-0/

Further information on this module can be found at the following links.

You must Sign-In to post a comment.