d4n13l4 wrote:
I'm trying to use memory dumps to investigate malware detections on some computer from the company I work
So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine.
Which OS and version?
With the AV detection, you should have a full path to the file, so that might give you some kind of indication as to where to start, in order to determine the initial infection vector (IIV).
From there, a mini-timeline created using selected files might be the most valuable and revealing way to approach determining the IIV.
↧