Sunday, November 1, 2015

Volatility Memory Forensics - Investigation a potential virus situation - Part 1

Part 2 | Part 3 | Part 4 | Part 5

Executive Summary 


Background
On Friday, September 4, 2015 Allysa stated that her computer has been running slow and thus she thinks it may be infected with a virus and would like it to be reinstalled. The computer was brought in a powered off state. Other than the belief that the computer is running slow and that the system may be infected with a virus, no other evidence was provided to support and or deny this theory.


Request
Allysa requested that the examiner reinstall her computer as she thinks it was infected with a virus as it was running slow.


Summary of Findings
The examiner performed an analysis of the acquired memory image file and was unable to find any evidence of a virus being present on the computer. The examiner did not attempt to identify what may have been the cause for the perceived slowness in operation of the computer.


Evidence
Table 1 outlines the evidence items of this case.

Description
Designation
Filename
MD5 Hash
Evidence Created
Working Copy
ALYSSA-PC-20150905-001215.rar
88f81f7990fb1b2e18080b6ca4744433
Evidence Examined
Working Copy
ALYSSA-PC-20150905-001215.rar
88f81f7990fb1b2e18080b6ca4744433



Other posts in this series
Volatility Memory Forensics - Investigation a potential virus situation - Part1
Volatility Memory Forensics - Investigation a potential virus situation - Part2
Volatility Memory Forensics - Investigation a potential virus situation - Part3
Volatility Memory Forensics - Investigation a potential virus situation - Part4
Volatility Memory Forensics - Investigation a potential virus situation - Part5

No comments:

Post a Comment