I found a bunch of free resources for memory images when I wanted to do a deeper dive into memory forensics linked from the volatility wiki, only to be stymied by 404s from people hosting things in personal dropbox links or the like. After some Google-fu, I found archived copies of things, and am now hosting mirrors of the more helpful items…
… in my own Dropbox to 404 out sometime in the future. Hey, it’s hard to find free hosting of larger files indefinitely!
Downloads
Interesting Memory Images
- Stuxnet (md5)
- HoneyNet Banking Troubles (md5) - Mirrored from the HoneyNet Project
- Shylock Banking Malware (md5)
- Black Energy 2 (md5) Mirrored from the Malware Cookbook DVD. GPL Licensed
- Zeus Trojan (md5) Mirrored from the Malware Cookbook DVD. GPL Licensed
- GrrCon 2012 Forensics Challenge Memory Dump (md5) - Part of a larger ISO (password grrcon2012)
Tools
- Sift Workstation - comes with volatility, rekall and a number of other DFIR tools configured and installed.
Resources
- Volatility Command Wiki
- SANS Memory Forensics Posters - Rekall centered and Volatility centered
- SANS Hunt Evil Poster (Quick guide to what’s normal for windows)
Other People’s Analysis
- Stuxnet analysis by Micheal Hale Ligh Stuxnet’s Footprint in Memory with Volatility 2.0
- Shylock analysis (access via archive.org)
- Zeus Trojan Memory Analysis by Javier Nieto
- Zeus Trojan Memory Analysis by evild3ad
- GrrCon 2012 forensics challenge walkthrough using only memory analysis