Malware Memory Analysis for Non-specialists: Investigating Publicly Available Memory Image for the Tigger Trojan Horse

Abstract

This report examines how a computer forensic investigator can effectively analyse an infected Windows memory dump. The author investigates how to perform such an analysis using Volatility and other investigative tools, including data carving utilities and anti-virus scanners.Volatility is a popular and evolving open source-based memory analysis framework upon which the authors previously proposed memory-specific methodology could be of aid to fellow novice memory analysts. The author examines how Volatility can be used to find evidence and indicators of infection. This report is the fifth in this series concerning Windows malware-based memory analysis. It examines a memory image infected with the Tigger/Syzor Trojan horse.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jun 01, 2014
Accession Number
AD1004008

Entities

People

  • R. Carbone

Organizations

  • DRDC Valcartier

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Application Protocols
  • Computational Forensics
  • Computer Program Documentation
  • Computer Program Reliability
  • Computer Programming
  • Computer Programs
  • Computers
  • Device Drivers
  • Digital Information
  • Engineering
  • Graphical User Interface
  • Malware
  • Network Protocols
  • Operating Systems
  • Security
  • Trojan Horse
  • Web Browsers

Readers

  • Cybersecurity.
  • Parallel and Distributed Computing.

Technology Areas

  • Cyber