Publication

Abstract : Malware is getting advanced and uses different techniques to be hidden. Some malware reveal their harmful nature only upon execution. Detection of such advanced malware poses challenges. Memory forensics plays a crucial role in identifying such malware, as it involves the real-time recording of system activity and inspection of vital artifacts like active processes, network activity, and DLLs loaded by programs. This study proposes a Python-based command-line program, utilizing Volatility3 for extracting and analyzing memory artifacts to identify suspicious processes. It examines all running processes, regardless of their network activity, and checks the origins of these processes. Suspicious processes are then cross-verified with VirusTotal to assess their malicious nature. The final outputm of the tool is a comprehensive report detailing the findings from VirusTotal, providing a streamlined and efficient approach to malware detection in memory dumps. This work aims to enhance the capabilities of forensic investigators, particularly those not specialized in malware analysis, in rapidly and accurately identifying potential threats within a system’s memory.