The latest Honeynet Project Forensic Challenge, is right up my alley! Live system and memory analysis is a large part of my interest in secure computing, especially related to malware and exploitation. While playing around with the sample file, it occurred to me that something like Volatility, could be much more useful, in a day to day basis, scripted out to run a general and\or more detailed scan, if needed.
At the moment, a quick scan shows the results for pslist, DLLlist, modules, connections, and sockets. The advanced scan is not yet complete, but should include something like entire registry export(may move to quick), driverscan, idt, ssdt, apihooks,and possibly mutantscan. I do not intend to overlap scans, but instead to offer a third complete scan, calling them both.
The script will be made available 4/19/2010, after the challenge is completed and submitted, and after I've had proper time to complete a V 1.0.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment