Top Ten Reasons to Perform Live Memory Forensics Collection

150 150 WindowsSCOPE

2. Some systems cannot be shut down so live analysis is the only option.

  • Live data can be captured and analyzed offline.

3. It is highly useful to collect information about the kernel, processes, registry and file accesses, as well as, network communications and their associations.

  • Suspicious processes and their activity can be tracked.
  • WindowsSCOPE has different capturing methods enabling quick capture whether on a crime scene or in the enterprise.

4. Modifications to the kernel made in memory cannot be seen on the disk.

  • Compromised operating system data structures such as SSDT and IDT can be easily detected by in-memory analysis with WindowsSCOPE.

5. Malicious backdoors can be found and proven to have existed in-memory.

  • Linkage between processes and remote accesses can be established.

6. It helps show that if illegal activity is taking place malware is not causing it.

  • Else, a defense can argue that a malware that was in memory and not in the filesystem may have been responsible for the illegal activity.
  • Certain malware are known for generating illegal activities and they can be tested for in the collected snapshot.

7. Malware can be compressed or encrypted on disk to hide itself from signature-based detection.

  • These malware cannot be detected with conventional malware detection programs relying on disk-based signature detection.
  • In-memory analysis with WindowsSCOPE to see malware as it actually executes can be performed.

8. It helps detect that a sophisticated malware is present at a given time.

  • As attacks become known, with snapshots available one can redo the analysis even later times.

9. New advanced collection methods ensure that the collected system information cannot be compromised due to a compromised kernel.

  • WindowsSCOPE has hardware-assisted means that can be used to collect information directly from memory chips resulting in reliable data, irrespective of attacks on the operating system.

10. Companies can benefit to have a history of how sensitive data was exploited.

  • Having snapshots available allows tracing of an attack as it progresses. WindowsSCOPE provides advanced comparison features across snapshots that enable detection of access to sensitive data.
  • WindowsSCOPE also provides real-time methods to access critical information remotely on demand, e.g., from an Android phone.