Quote::
I'm trying to use memory dumps to investigate malware detections on some computer from the company I work
So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine. - d4n13l4
Quote::
as a side note: as a threat hunter in a malware investigation, he probably doesn't need to follow forensic principles of creating a full image, or even a write-blocked image.
What I would be pushing is documentation. Document what you've done, and what you've found. -randomaccess
What randomaccess suggests is very appropriate and what you use to document would pretty much depend upon how he wishes to document and which tools. It would make the task somewhat easier or much more time consuming. Since this is a Windows system, anyone have any tools to suggest ?
I would guess that this is more of a Blue Team type situation ? But wouldn't you not want to at some point, just-in-case, want to have the collected evidence ready for a possible court use besides stopping this attack and making secure corrections and protections ?
What has been your policies and experiences ? To just stop and correct the attack and move on or to potentially provide your experience and evidence to a prosecutor ? This would be interesting to know, too ....
↧