Purpose: Identify deviations from "known-good" which might tend to indicate the presence of malware on a system
Data Required: Memory dumps, Registry dumps, "known good" data
Collection Considerations: This works best when tracked over time rather than as a single comparison. Volatility plugins such as "stalker", "profiler", "regcomp" & "hunter" are useful
Analysis Techniques:
Description
Other Notes
More Info
- Every Step You Take (video needed, if available)
- “Several Ways to Skin a Rat", Jamie "Gleeda” Levy (Link needed)