Monday, May 03, 2010
Memory forensics with SIFT 2.0, Volatility, and PTK
May's toolsmith takes a close look at SIFT 2.0, the forensics workstation associated with the SANS 508 track.
SIFT 2.0 is best utilized as a VM via your preferred version of VMWare but can also be installed as a permanent standalone workstation.
I spend much of time touting memory analysis as a key component of incident response and forensics, and SIFT 2.0 offers two of the most capable memory analysis offerings available: Volatility and PTK. As I say in the article, I don't do either tool the justice it deserves but it should whet your appetite. I owe both Volatility and PTK their own write-ups, if not the MoonSols Memory Toolkit as well.
Regardless, SIFT 2.0 is extremely practical for forensic processing and case management. Assuming you have a decent storage footprint, you can opt to keep a unique virtual instance of SIFT for each case your handling.
For this article I used SIFT with Volatility and PTK to dig more deeply into a victim memory image of a Banload-infected host.
You'll quickly see how to get right to the bottom of an incident using only memory analysis.
The article is here.
Cheers and and enjoy.
del.icio.us | digg | Submit to Slashdot
Please support the Open Security Foundation (OSVDB)
I was reading an interesting Motherboard article, Legal Hacking Tools Can Be Useful for Journalists, Too , that includes reference to one ...
It's rather hard to believe, unimaginable even, but here we are. This is the 120th consecutive edition of toolsmith; every mon...
7 OCT 2016 saw the release of MISP 2.4.52 . MISP, Malware Information Sharing Platform and Threat Sharing, is free and open source software...
You've likely seen chatter recently regarding the pilot Hack the Pentagon bounty program that just wrapped up, as facilitated by Hacker...