Is your PC hacked? RAM Forensics with Volatility

Don't forget, there will be a live workshop event right after this video premiers on discord.tpsc.tech/. Maybe we'll do something special and try to clean the system using your suggestions. Everyone is welcome to join. :) Links: Volatility (Command Line Interface) -- For this tool, be sure to review the documentation within the -h command www.volatilityfoundation.org/releases Dump It -- Tool used to create dump files -- remember to rename your dump to .mem file extension github.com/thimbleweed/All-In-USB/blob/master/util… Volatility GUI -- User Friendly Version of the utility tested www.osforensics.com/tools/volatility-workbench.htm…

About 10 years ago I use to do this remote. I had the best resolve rate, best single call rate, best customer care rate. I was fired for not doing more calls per day, because as far as they are concerned leaving a customer with some malware was ok as long as the system worked for a couple of weeks.

at that point, man, I'm just formatting my drive and starting over lmao

I've had one very nasty virus where it would let me do everything BUT: open task manager, type in any word resembling 'virus' or 'antivirus' anywhere, or visit any site like avast. It was impressive really, how polite it was in letting me do work but not allowing me to get rid of it. :D

I like the way you do not hide anything from and you do not assume we know anything about the subject. You did a great video as to why and how to do. Great job, please keep up the great work!

Instantly subbed after this video. Looking forward to diving deeper into this channel. I’m a gen X who started using computers with apple IIe. These days I consider myself very capable of avoiding infections in the first place but have never been able to be sure of that other than knowing my system is running well and being able to spot evidence well. So I believe. Lol Will be trying out some of this stuff to see if I can find anything.

Very informative. I've been out of the computer space since 2002. I was once the go to guy to fix everyones computers, not anymore lol. Glad there is a channel like this to get me caught up.

Great video! Volatility is such an amazing tool. I used Volatility 2 extensively but haven't had the opportunity to use 3 as much so far. The developers are all some of the smartest people I've ever met.

I'd love to see more. Your content is always great, Leo.

6:00 You can also open cmd (or any executable really) in the current directory by just entering 'cmd' in the path bar 10:20 note that basically anything can be encrypted in RAM or anywhere

Great tools you introduced. I know Windows, comfortable with the command line, and appreciate your thorough explanation of how to approach the troubleshoot. Some viruses will resist getting the dump off the computer anyway. Often I just restart with no network (cable unplugged/WiFi disabled) - that stops many viruses from completing their execution long enough to get the thumb drive to cooperate for a moment.

Im satisfied and slightly impressed how consisely you speak. An obvious good perk for creating informative videos that surprisingly many lack on youtube I believe.

Interesting. I get pretty lost on newer stuff. I was certainly not very familiar with OS files, but back when I helped people with this sort of thing, I often got pretty lucky picking out processes that just "didn't look right". Of course, you really knew you were on to something when it would just immediately restart after you shut it down or started open even more processes. Lately I've been more interested in how people are hacked, and there can be a lot of parallels, but not much in the way of repair software, lol.

In the SANS FOR508 course, they advise running netscan over netstat as this scans through the entire memory dump looking for network activity, including from processes unlinked from the VAD tree. Netstat is limited to just the network activity that is easy to find. If a process is unlinked from the VAD tree netstat would not find it. The same applies with psscan vs pslist.

Thank you very much for this video. I got here randomly but I love how much insight this provided me.

awesome, thanks for your work and efforts Leo :)

That was an amazing video, keep the awesome work!

so this is excellent content, about 10 years ago i used to do this type of analysis for virus infections, but 3rd party software like rkill, adwcleaner (before being bought by malwarebytes) and even malwarebytes sort of made this type of investigation pointless the combo of those three software were good enough to track down like 99.9% of all infections in a quarter of the time this type of analysis required so i just stopped doing this type of analysis. thanks for making this video, gives me a place to start to familiarize myself with the common tools these days for proper virus removal now adwcleaner was mostly destroyed by malwarebytes, and malwarebytes itself no longer is half as good as it used to be... (especially now they've disabled virus removal on domain pcs)

Excellent ! this is exactly what I am looking for Kindly do more such related videos !

Excellent video and good to learn some tools here for my STEM students learning Cyber Security. We don’t teach hacking, but this looks like a good topic to put on next summers Cyber Camp. Thanks