This section deals with memory forensic using Volatility. This chapter only introduces a little bit about the Volatility feature and its installation. Detailed explanation and exercises will be provided in the next chapter. This section will guide you on how to install Volatility and its basic usage.
Now we are ready to use more advanced Cuckoo features. It was Cuckoo's ability to take a memory dump of running processes in the Guest OS. First, we need to modify the configuration for Cuckoo so that the memory dump may be created before the machine shuts down:
Edit the
cuckoo.conf
file that is in theconf/
directory and write down the configurationmemory_dump = on
.Edit the
reporting.conf
file in the same directoryconf/
and activatemetadata
andmaec11
:[metadata] enabled = on [maec11] enabled = on
Save it.
Please only enable them when you think you need further analysis to the memory that the malware used, because it will make...