Malware Memory Analysis for Non specialists: Investigating Publicly Available Memory Images for Prolaco and SpyEye

Abstract

This technical memorandum examines how an investigator can analyse an infected Windows memory dump. The author investigates how to carry out such an analysis using Volatility and other investigative tools, including data carving utilities and anti-virus scanners. Volatility is a popular and evolving open source-based memory analysis framework upon which the author has proposed a memory-specific methodology for aiding fellow novice memory analysts. The author examines how Volatility can be used to find evidence and indicators of infection. This technical memorandum is the second in a series concerning Windows malware-based memory analysis. This current work examines two memory images infected with Prolaco and SpyEye, respectively.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Oct 01, 2013
Accession Number
AD1004197

Entities

People

  • R. Carbone

Organizations

  • Defence Research and Development Canada

Tags

Communities of Interest

  • Materials and Manufacturing Processes

DTIC Thesaurus Topics

  • Application Protocols
  • Code Injection
  • Computational Forensics
  • Computer Programs
  • Computers
  • Data Compression
  • Detection
  • Electronic Messaging
  • Engineering
  • Infection
  • Internet
  • Network Protocols
  • Operating Systems
  • Security
  • Trojan Horse
  • Web Browsers
  • Wound Infections

Readers

  • Artificial Intelligence
  • Cybersecurity.

Technology Areas

  • Cyber