Defense and

Analysis
Techniques

04/20/2026 KALAIARASU 1
Memory Forensics
Memory forensics refers to finding and extracting forensic artifacts
from a computer’s physical memory.

Outcome:

Explain the importance and capabilities of memory forensics and the tools
used to support incident response and malware analysis.

04/20/2026 KALAIARASU 2
RAM
While a system is on, random access memory (RAM) contains critical
information about the current state of the system. By capturing an
entire copy of RAM and analyzing it on a separate computer, it is possible
to reconstruct the state of the original system, including the
applications the user was running and the files or network
connections that existed at the time.
The concept of preserving RAM per the “order of volatility” and inspecting
it for signs of an intrusion is certainly not new; however, before the recent
explosion of groundbreaking research and expandable analysis
frameworks, many investigators relied on running the strings command on
a memory dump to gather postmortem intelligence about an attack.
Fortunately, times have changed, and memory analysis is not only a critical
component in any forensic investigation, but also one of the most effective
methods for malware reverse-engineering tasks such as unpacking and
rootkit detection.

04/20/2026 KALAIARASU 3
Why Memory Forensics Is
Important
1. Attackers design some malware to run completely from RAM (i.e.,
memory resident codes) to avoid touching longer term storage devices such as
the hard drive. Therefore, if analysts do not look for signs of intrusions
in RAM, they might miss the most important, or perhaps the only,
evidence that malware existed on the system.
2. Attackers design some malware to hide its own code and the resources
that it requires from the operating system using application program
interface (API) hooks; however, these rootkit techniques typically only work
against other processes on the infected computer while the system is running.
Hiding from offline memory forensics tools requires a different set of
capabilities that most malware authors have not implemented into their code.
3. Every action on a computer has a reaction - use the information as
clues when determining what might have happened on the suspect
system.

04/20/2026 KALAIARASU 4
Capabilities of Memory Forensics

04/20/2026 KALAIARASU 5
Memory Analysis Frameworks

04/20/2026 KALAIARASU 6
Dumping Physical Memory
To dump physical memory, iDefense recommends using win32dd2 by Matthieu Suiche. The
tool supports memory acquisition from a wide variety of OS versions, including
Windows 2000, XP, 2003, Vista, 2008, 7, and 2008 RC2. Suiche recently provided an
update that includes the capability to compute cryptographic checksums (MD5, SHA-1,
or SHA256) and client or server architecture so that an analyst can transmit the memory
dump across the network easily. To get started, download a copy of win32dd from the tool’s
home page and extract the archive. To dump the full physical address space, save the
output file to [Link] in the same path as win32dd and create a Secure Hash
Algorithm 1 (SHA-1) hash of the dumped file; use the following syntax:

F:\>[Link] /f [Link] /s 1

04/20/2026 KALAIARASU 7
Installing and Using Volatility
$ tar -xvf [Link]
$ cd Volatility-1.3
$ python volatility
Volatile Systems Volatility Framework This is free software; see the source for
copying conditions. There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.

04/20/2026 KALAIARASU 8
Supported Internel Commands:

The full syntax for extracting evidence from the memory

dump created with Volatility follows:
$ python volatility <command> <arguments> -f
[Link]

04/20/2026 KALAIARASU 9
Finding Hidden Processes

04/20/2026 KALAIARASU 10
To generate a process listing by walking the
linked list of processes

04/20/2026 KALAIARASU 11
An EPROCESS object removed from a
doubly linked list

The Volatility command psscan2 :

Instead of walking the linked list of EPROCESS objects
like pslist, psscan2 scans linear memory for pools with
the same attributes (paged versus nonpaged, tag, and
size) that the kernel uses for EPROCESS objects, and
then applies a series of sanity checks. This way, psscan2
is able to find EPROCESS objects in memory even if a
rootkit has unlinked it from the list. The
same concept applies to finding hidden kernel drivers,
sockets, connections, services, and various other kernel
objects.

04/20/2026 KALAIARASU 12
Volatility Analyst Pack - plugins

04/20/2026 KALAIARASU 13
Conclusion
Memory forensics is a rapidly growing aspect of incident response and
malware analysis. Its powerful default capabilities can replace 10–20 live
system tools, not to mention the features provided by third-party plugins
such as VAP. Although there are several options, iDefense recommends
the free, open-source Volatility framework, which also provides an
analyst with the opportunity to learn about the operating system.

04/20/2026 KALAIARASU 14
Honeypots
Creating an asset to attract malicious activity for monitoring and early
warning is a well-established activity. Not only do honeypots, isolated
technical assets configured with a high level of logging, provide valuable
attack data for analysis, but security analysts also periodically use them as
decoys that deliberately contain known vulnerabilities.

04/20/2026 KALAIARASU 15
Honeypots Contd.
A honeypot is an information system resource whose value lies in
unauthorized or illicit use of that resource. A honeypot is a concept that
capitalizes on the isolation of a resource and subsequent activity that
interacts with the resource. Designed to resemble an interesting target to
attack, probe, exploit, or compromise and configure with a high level of
logging, honeypots attract attackers and malicious code to capture their
activity for analysis. Honeypots thrive in isolated environments because they
have no production value or business purpose and all activity observed is
suspicious. Placement of these resources is important to minimize the
amount of legitimate or unintentional traffic

04/20/2026 KALAIARASU 16
Honeypot- Classification
two different classifications based on the level of system interaction available
to the attacker.
Low-interaction honeypots
High-interaction honeypots

04/20/2026 KALAIARASU 17
Low-interaction honeypots
Low-interaction honeypots emulate vulnerable services and applications to
entice inbound exploit attempts from attackers. Emulation occurs by
mimicking real network responses to inbound connections allowing an attack
to progress to completion. The attacks do not compromise the honeypot
because the honeypot itself is not vulnerable; rather, it follows along by
emulating vulnerabilities. Logs of the activity capture the exploit attempt,
and postattack analysis provides information to protect other production
devices from falling victim to the attack.

04/20/2026 KALAIARASU 18
High-interaction honeypots
High-interaction honeypots, utilize actual services and vulnerabilities to
attract inbound attacks. The use of real services provides detailed
information on the steps involved in exploitation and the post compromise
activity. This type of honeypot requires close and constant observation
because the system is likely to fall victim to compromise. High-interaction
honeypots also need extra security measures to contain subsequent attacks
or malicious code propagation.

04/20/2026 KALAIARASU 19
Commercial and open-source honeypot
solutions
Specter, a commercial honeypot, is an example of a low-interaction
honeypot that advertises vulnerabilities and acts as a decoy and data
collection solution.
Nepenthes also advertise vulnerabilities and capture and download
malicious code or analyze shellcode resulting from exploitation
Honeyd, a lightweight honeypot daemon configured to simulate a mail relay
or open proxy, captures e-mail spam for tracking and spam filter creation.
Capture-HPC and MITRE’s Honeyclient are client-based honeypots

04/20/2026 KALAIARASU 20
Honeynet and Honeywall

04/20/2026 KALAIARASU 21
Legality of honeypot
deployment
The legality of honeypot deployment is under constant debate and generally
involves discussions on
 entrapment
 privacy
 liability

04/20/2026 KALAIARASU 22
Detection techniques
 virtualization checks
 network traffic modification
 latency checks

A common example of this detection method uses the dd command to

copy an endless amount of data to /dev/null, which produces
overwhelming amounts of data for the honeypot to log. The ping
command can check the network latency during the heavy load that the
dd command invokes.

04/20/2026 KALAIARASU 23
Malicious Code Naming
Malicious code–naming conventions within the industry, which can be
confusing and difficult to reference. The differences in procedures used by
antivirus tools and those used by analysts are at the heart of the problem

04/20/2026 KALAIARASU 24
An antivirus scan of a typical banking
Trojan

04/20/2026 KALAIARASU 25
Antivirus names
Family_Name.Group_Name.Major_Variant.Minor_ Variant[:Modifier]

04/20/2026 KALAIARASU 26
Automated Malicious Code Analysis
Systems
The massive volume of distinct pieces of malicious code in existence exceeds
the capacity of human analysts. Fortunately, researchers can automate much
of the initial analysis. This automation allows much greater efficiency and
prioritization of analysis of malicious code samples.

Behavioral analysis

04/20/2026 KALAIARASU 27
Two main techniques to analyze the
behavior of malicious code:
1. Passive analysis: Record the state of the system before and after the
infection.
Then, compare these states to determine what changed.

2. Active analysis: Actively monitor and record malicious code actions

during
execution.

04/20/2026 KALAIARASU 28
Passive Analysis
Passive analysis systems work in the three-stage cycle

04/20/2026 KALAIARASU 29
Common analysis features
 File system
 Windows Registry content
 Running processes
 Listening ports
 Memory contents

04/20/2026 KALAIARASU 30
Features

04/20/2026 KALAIARASU 31
Passive analysis comparison process

04/20/2026 KALAIARASU 32
Active Analysis
 Downloaders
 API hook

04/20/2026 KALAIARASU 33
Physical or Virtual Machines
First, time is spent allowing the malicious code to execute. If the runtime is
too short, the analysis might miss a critical step taken by the malicious code,
but the more time allotted for the malicious code to run, the longer the
system takes to generate a report.

The second major source of analysis time is restoring the infected system to
a clean state.

04/20/2026 KALAIARASU 34
Virtualization systems
Virtualization systems like VMWare and VirtualBox have many features that make them an
excellent choice when developing an AMAS. These programs allow a user to run one or
many virtual computer(s) on top of another OS. Researchers use these systems to run
many analysis instances on a single physical computer, saving time, power, and money.
Virtual machines (VM) also have the ability to store a clean “snapshot” of the operating
system. After the analysis is complete, restoring the system to the clean snapshot
typically takes less than 30 seconds; however, as with active analysis systems, it is
possible for malicious code to detect that it is running in a VM and alter its execution path
to trick the system into producing an inaccurate report. One recent example of VM-aware
malicious code is Conficker, which did not execute in VMs in order to increase analysis
difficulty.

04/20/2026 KALAIARASU 35
Physical machines
Physical machines are not as simple to restore compared to their virtual counterparts,
but there are multiple options available. One possible solution is Faronics
DeepFreeze.

DeepFreeze is a Windows program that allows administrators to revert a system

to a clean state each time it reboots. Internet users at universities and Internet
cafes, where many users access the same pool of computers, commonly use
DeepFreeze. iDefense tested DeepFreeze for use in one sandbox and found that it
was not sufficient to prevent malicious code from altering the system.
Software solutions are not reliable for this purpose because malicious code can
disable them or use methods to write to the disk that the software does not monitor.

04/20/2026 KALAIARASU 36
A CoreRESTORE ATA/IDE bridge.

04/20/2026 KALAIARASU 37
Current Popular AMASs

04/20/2026 KALAIARASU 38
Intrusion Detection Systems
Connecting computers allows for communication and the exchange of
information, but also exposes these computers to threats from remote
locations. This exposure to external threats needs a monitoring and detection
solution to ensure the safety of interconnected systems.

04/20/2026 KALAIARASU 39
Out-of-line and inline topologies

04/20/2026 KALAIARASU 40
Out-of-line sensors
Out-of-line sensors connect to a switched port analyzer (SPAN), an action also
known as monitoring, port mirroring, or a network tap. A SPAN port is a port
on a network device, such as a switch or firewall, that receives a duplicate
feed of the real-time traffic for monitoring purposes. A network tap operates
in a similar manner; however, these are standalone devices that send and
receive traffic between two ports and have a third port that receives a copy
of this traffic for monitoring purposes. Out-of-line sensors connected to a
SPAN either port or tap monitor traffic and produce alerts in response to
malicious activity

04/20/2026 KALAIARASU 41
Inline sensors
Inline sensors differ from out-of-line sensors in that they physically sit in the
path of the network traffic. Network traffic travels from its source through
the inline device to its destination. The inline sensor checks the traffic sent
through it for malicious activity to produce alerts or block the malicious
activity. Inline sensors configured to block malicious traffic, known as
intrusion prevention systems (IPSs), have a greater impact on
reducing the occurrence of malicious activity on a network

04/20/2026 KALAIARASU 42
Content-matching rules
Content-matching rules use specific pattern matches or regular expressions

Example HTTP request:

GET/[Link]?
action=bot&entity_list=&uid=1&first=1&guid=412784631&rnd=94

Content Match
“GET /[Link]?action=“

Regular Expression
“/GET\s/[Link]?action=(bot|loader|report)/”

04/20/2026 KALAIARASU 43
Abnormal fields within an HTTP header

04/20/2026 KALAIARASU 44