Volatility Forensic Analysis: R2D2 Malware

Hunting R2D2 Malware To start on this malware expedition, please download image from here . Once image file is downloaded, lets find out more about it by using volatility imageinfo plugin C:\volatility>volatility.exe -f 0zapftis.vmem imageinfoVolatility Foundation Volatility Framework 2.6INFO : volatility.debug : Determining profile based on KDBG search… Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86) AS […]

Root-me Command and Control Challenges

In this post we will go through command and control challenges on https://www.root-me.org/. Since , this challenge is still open we will not post the answers but will only document the steps and approach that was taken to solve the challenges. Command & Control — level 2 Find workstations hostname from memory dump The first approach that came into my […]

Forensic Analysis: jackcr difr challenge

After completing Cridex Malware analysis decided to take up jackcr difr challenge for further learning . I will continue to use Volatility Open Source Framework for this analysis .Also, you can read, Cridex Malware analysis here Challenge The challenge consist of 4 memory dumps and one packet capture. Two memory dumps from user machines , 1 memory dump […]

Forensic Memory Analysis with Volatility

After analyzing multiple dump files via Windbg, the next logical step was to start with Forensic Memory Analysis. After going through lots of youtube videos I decided to use Volatility — A memory forensics analysis platform to being my journey into Memory analysis. Why Volatility It is written in python and python is my go to scripting […]

Windows Process

In this post we will take a closer look at Windows Process. We will start with defining different parts of a process, look briefly into Virtual Address space and then will take a closer look into internal data structure and threads. A process is a container inside which a program executes. At a very high […]

Setting Up Windows 2019Virtualbox VM for Kernel Mode Debugging

I’ve been reading on Windows Memory Management and decided to take a deeper dive into Windows Memory Management. For this I decided to use Windbg in Kernel mode, attach it to 2019 VM . I am documenting the steps for future reference. For installing windbg preview please refer to my previous post Before we start we […]

Solving Memory issues with RAMMAP.exe command line

Few days back, customer escalated an issue which was going on for last 2 months and there was no progress. Problem Once or twice a month, memory consumption on a sever would hit 100%. To recover from the situation, we had to reboot the server from Azure console. I started by studying the incidents customer […]

WinDbg Preview download and Install without MS Store

Recently I was trying to install WinDbg preview on my Laptop. When I opened MS store I realized that it is blocked by security settings. Now I was in dilemma, should I try to bypass the security or is there a way WinDbg Preview can be installed without accessing MS store. So instead of directly […]

My First experience with MS SysInternal Tools

Finally, my organization decommissioned cisco VPN, I had no choice but to move to the Pulse Secure VPN. To start with I reached out to our local windows admin and he shared installer and document for installing and configuring Pulse VPN. I followed the document both in letter and spirit (pun intended) and configured my […]