Malware Memory Analysis for Non-Specialists: Investigating Publicly Available Memory Image for the Stuxnet Worm

Abstract

This report examines how an investigator can analyse an infected Windows(registered tradename) memory dump. The author investigates how to carry out such an analysis using Volatility and other investigative tools, including data carving utilities and anti-virus scanners. Volatility is a popular and evolving open source-based memory analysis framework upon which the author has proposed a memory-specific methodology for aiding fellow novice memory analysts. The author examines how Volatility can be used to find evidence and indicators of infection. This report is the fourth in this series concerning Windows malware-based memory analysis. This current work examines a memory image infected with the Stuxnet worm.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Nov 01, 2013
Accession Number
AD1003980

Entities

People

  • R. Carbone

Organizations

  • Defence Research and Development Canada

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Anti-Virus Software
  • Application Protocols
  • Computational Forensics
  • Computer Program Documentation
  • Computer Program Reliability
  • Computer Programming
  • Computer Programs
  • Computers
  • Data Compression
  • Device Drivers
  • Malware
  • Network Protocols
  • Operating Systems
  • Reasoning
  • Security
  • Trojan Horse
  • Web Browsers

Readers

  • Cybersecurity.
  • Parallel and Distributed Computing.

Technology Areas

  • Cyber