Discover and read the best of Twitter Threads about #MemoryForensics

Most recents (1)

1\ How to detect what command line spawned a process with no EDR/AV? 👀 #DFIR

If you have a memory sample, this is how you can figure out what cmd spawned the processes by using volshell and memory forensics.

STEP BY STEP GUIDE BELOW

👇 👇 👇 👇 

#MemoryForensics
2\ Each process in Windows is represented by an "EPROCESS" structure.

These EPROCESS blocks are joined in a doubly linked list structure. The flink (forward link) tells you the next process running and blink (backwards link) tells you the previous process.
3\ When you see a list of processes on a live system, often times this is gathered by walking this doubly-linked structure of EPROCESS blocks.

Of course malware can unlink a process in this doubly linked list to hide from detection :P
Read 13 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!