Evidence Category · 13 Questions

Memory Forensics

Measures forensic analysis of a volatile memory dump.

Questions in This Category

Q007Malicious process name in the RAM image? (masquerade)

Q008Malicious process PID?

Q009Password the malicious process used for exfiltration?

Q010Exfiltration (C2) destination IP?

Q011Which account (service account) was exfiltrated?

Q012Encryption key (c2key) leaked from memory?

Q013From which directory does the malicious process run?

Q093PID of the legitimate svchost.exe?

Q094PID of explorer.exe?

Q095Upload request path in the HEAP record?

Q096C2 connection port of the malicious process?

Q097Full file path of the malicious process?

Q162Action parameter in the malicious process command line?