Lohit is a security researcher and evangelist who is currently working with Microsoft and has keen interest in Forensics(Memory, Network & Host),Reversing,Pentesting, Vulnerability Management,Log Analysis and Secure Coding.He is a regular contributor to various Security Blogs and got special mention in security publications such as Digital Guardian, Infosec Institute etc.He holds GIAC GCIH, GIAC GCFA, GIAC GREM, Splunk, Comptia Security+.
Memory forensics really helps in analyzing these advanced malwares since in memory, malware artifacts can be analyzed more thoroughly and more useful IoCs can be built. For example, memory forensics of famous attacks like Stuxnet, black energy revealed some new artifacts about the attack which were not noticed earlier. Memory Forensics is a process starting from finding affected system, capturing its memory, analyzing it and if needed dumping the malicious process for further analysis. With memory forensics, we can analyze many types of OS artifacts like running processes, live network connections, loaded drivers, API hooks and artifacts like shim cache that will reside only in memory and gets flushed to disk only after a system reboot. It is also useful for analyzing memory resident malware which never write any information to disk and thus can go unnoticed. With memory forensics, we can also analyze advanced kernel level attacks like Direct Kernel Object Manipulation(DKOM) to detect malware hiding activity. There are various tools like such as Volatility, Redline, Rekall etc. which helps in memory forensics.