archive

memory forensics

  1. Using Memory Analysis to Detect EDR-Nullifying Malware

    In the ever-changing cybersecurity landscape, threat actors are forced to evolve and continually modify the tactics, techniques, and procedures (TTPs) they employ to launch and sustain attacks successfully. They are continually modifying their malware and command-execution methods to evade detection. The attackers in these cases are attempting to get a step ahead of security software at the most basic level. However, some techniques take a different approach, aiming further up the stack and directly taking on security software. The most brazen methods involve leveraging various tools that directly terminate or shutdown security software. If successful, this method is effective at giving an attacker free reign on a system. However, it comes at the potential cost of alerting users or administrators that the software unexpectedly stopped reporting or was shut off. What about a technique that potentially flies a bit more under the radar? In November 2022, Trend Micro published a […]

  2. Surge Collect Provides Reliable Memory Acquisition Across Windows, Linux, and macOS

    Over the last 10 years, memory acquisition has proven to be one of the most important and precarious aspects of digital investigations.  Unfortunately, many investigators blindly trust free and commercial tools without understanding the associated risks and limitations. Consequently, they often end up with corrupt memory samples, or they crash systems containing volatile data that is critical to their investigations.  While these tools may be readily accessible, many are unsupported or have been effectively abandoned by their original developers. In addition, a recent empirical study showed that most open source or commercial Windows memory acquisition tools either failed to collect or crashed systems with modern security features enabled. Based on user feedback, we determined there was a growing need within the industry to provide reliable and actively supported memory acquisition capabilities across Windows, Linux, and macOS. Acquisition Challenges When we set out to develop Volatility, we decided to focus our […]