Don't forget, there will be a live workshop event right after this video premiers on discord.tpsc.tech. Maybe we'll do something special and try to clean the system using your suggestions. Everyone is welcome to join. :) Links: Volatility (Command Line Interface) -- For this tool, be sure to review the documentation within the -h command www.volatilityfoundation.org/releases Dump It -- Tool used to create dump files -- remember to rename your dump to .mem file extension github.com/thimbleweed/All-In-USB/blob/master/utilities/DumpIt/DumpIt.exe?raw=true Volatility GUI -- User Friendly Version of the utility tested www.osforensics.com/tools/volatility-workbench.html
About 10 years ago I use to do this remote. I had the best resolve rate, best single call rate, best customer care rate. I was fired for not doing more calls per day, because as far as they are concerned leaving a customer with some malware was ok as long as the system worked for a couple of weeks.
Thats crazy, sounds like they needed to reevaluate their procedures, are they still in business? Not looking for a name just curious if they could really establish a solid customer base. I would rather take one or two calls and ensure that their system was completely clean and working to its best ability, than lots of calls and customers that eventually walk away and find someone who does it properly.
Very informative. I've been out of the computer space since 2002. I was once the go to guy to fix everyones computers, not anymore lol. Glad there is a channel like this to get me caught up.
Same here! I worked in the world of PCs when they were just beginning and up until about 2000 +/-. Now, I am way behind on everything. It's going to be some serious catch up work to get back up to speed. This channel may be my ticket to success.
6:00 You can also open cmd (or any executable really) in the current directory by just entering 'cmd' in the path bar 10:20 note that basically anything can be encrypted in RAM or anywhere
I like the way you do not hide anything from and you do not assume we know anything about the subject. You did a great video as to why and how to do. Great job, please keep up the great work!
Great video! Volatility is such an amazing tool. I used Volatility 2 extensively but haven't had the opportunity to use 3 as much so far. The developers are all some of the smartest people I've ever met.
I've had one very nasty virus where it would let me do everything BUT: open task manager, type in any word resembling 'virus' or 'antivirus' anywhere, or visit any site like avast. It was impressive really, how polite it was in letting me do work but not allowing me to get rid of it. :D
@@lerebox drove me nuts, esp since I just got a used card off ebay and wasn't sure if it was the card. Tbh it still can crash games after 30mins or so but I gave up on diagnosing it :D
In the SANS FOR508 course, they advise running netscan over netstat as this scans through the entire memory dump looking for network activity, including from processes unlinked from the VAD tree. Netstat is limited to just the network activity that is easy to find. If a process is unlinked from the VAD tree netstat would not find it. The same applies with psscan vs pslist.
Instantly subbed after this video. Looking forward to diving deeper into this channel. I’m a gen X who started using computers with apple IIe. These days I consider myself very capable of avoiding infections in the first place but have never been able to be sure of that other than knowing my system is running well and being able to spot evidence well. So I believe. Lol Will be trying out some of this stuff to see if I can find anything.
@@itsTyrion hey wondering if you or anyone else can help I just did exactly that and complete fresh start I download Norton and malwarebytes start searching, nothing comes back ever full scans. I disable everything that autoruns it seems to come from Microsoft onedrive and I can’t stop the files from autorunning but I seen them… it’s still trying to create files n such. It’s renamed n made Norton and malware bytes useless as the it tricks the scanners… cause ur rewrites them . Just tried to do Microsoft defender offline scan and gets to about 93% and shuts off… please anyone I could really use your help.
@@grill6411 well my buddy made the instillation media for me on his own desktop I lost all my files just saying f it and trying to get rid of this. I have a screenshot of it but I still don’t know how to remove it.. It says it did watsonreport so it followed me over I guess? Image:jokeyaklog/FargoodIcy/BagZoorWar/CanlabEgg.exe Appname:Skydrive setup Then it gave itself permissions… please if anyone could help. I already lost everything just trying to play my video games again.
@@grill6411 well maybe but I had the issue before, I think the usb was fine. I had a windows 10 disc instillation the computer came with. I think it’s possibly corrupted as well since I tried using fixmestick and left the disk in like a idiot.
You should make a follow up video on how to isolate malware like this! I think it would help a lot of people especially because most people would just wipe the system and reinstall windows. I think it would be good for the world to learn the basics of cyber security like that so they can isolate malware on their systems and save their precious data! Just a suggestion, love your video!
It'd be a better idea to educate people on how to make proper backups. Restoring a backup would take less than an hour for an average computer. Dumping the memory, going through processes and connections, doing 'forensics' basically, takes as long as it takes (days/weeks easily). And that is for people who have experience, the average user will never care to go that deep, nor will they care to fully remove malware. In those cases it's probably better to have the user know how the malware got in (usually they downloaded/clicked something fishy) and restoring backups.
I agree that not everyone might be interested, but isolating and learning how that program works or is hurting my machine interests not only me but everyone who's trying to learn in their own time and outside institutions that sometimes don't even teach us how to properly dissect malware and understand how and through were they attacking the machine. This was a great video btw i will definitely check my fams old laptops
It comes with exposure to the windows file system. Run the Forensics on a "clean" install of windows get some screen shots and you will see the difference when you run into the compromised files. Yes I know that some of the files will be different due to the type of machine that you are working on but this will give you a baseline reference of the system files. Build your own toolbox and keep them on a USB. Some free some you have to pay for but very handy This is a start of reverse software engineering it comes over time on looking for what is bad and is compromising the machine. Dig deeper and learn how hackers are using system files to get their stuff to run on windows.
Just remember, the infected system will likely infect the USB stick as well - don't use the stick on another machine after it has been in an infected one, before you have reformatted it and copied the stuff back on it from *clean* system.
Interesting. I get pretty lost on newer stuff. I was certainly not very familiar with OS files, but back when I helped people with this sort of thing, I often got pretty lucky picking out processes that just "didn't look right". Of course, you really knew you were on to something when it would just immediately restart after you shut it down or started open even more processes. Lately I've been more interested in how people are hacked, and there can be a lot of parallels, but not much in the way of repair software, lol.
i did my time doing that, over time, you start to figure out what's normal and just has an odd name, and what's actually a problem. I just remember once in the early 2000's, someone swore by norton who showed their system was safe, and that means they had no virus. I installed pc-cillian and spybot and got over 5000 viruses on the computer. That was the day that i learned that people trusting brands way to much, and started to try to difersify my toolset (except spybot: search and destroy, never found a good replacement before i stopped doing much comp repair for people)
for the api key generation, go to the main page, ones your signed in, hover over your account on top right corner, press account details, on the bottom, there is a generate key option, press it, then copy the key and enter it on the 'enter api key'
Excellent video and good to learn some tools here for my STEM students learning Cyber Security. We don’t teach hacking, but this looks like a good topic to put on next summers Cyber Camp. Thanks
Seriously ? Downloading a third party software and you're not suspecting anything ? I've searched for Dumpit, and the only "safe" download was from Comae and you must sign in and wait for check up. It is actually SCARY AF to think that "professional" are actually using third party software with thinking about security breaching. Someone tell me if I'm missing something.
Really? When I was in school for Cybersecurity/Cyber forensics we did a lot of white hat/ethical hacking and even some black hat stuff as part of the learning process. Maybe I'm just misunderstanding you, haha.
Im satisfied and slightly impressed how consisely you speak. An obvious good perk for creating informative videos that surprisingly many lack on youtube I believe.
Great tools you introduced. I know Windows, comfortable with the command line, and appreciate your thorough explanation of how to approach the troubleshoot. Some viruses will resist getting the dump off the computer anyway. Often I just restart with no network (cable unplugged/WiFi disabled) - that stops many viruses from completing their execution long enough to get the thumb drive to cooperate for a moment.
I'm seriously lacking in malware removal for Windows 10. A lot of my tools worked great for Windows XP/7. Now that I found this channel, I'm grabbing all the tools mentioned! As of today, Volatility cannot be downloaded. On Brave, a new tab opens then closes immediately. I used Edge and it tries to download but says it can't securely.
so this is excellent content, about 10 years ago i used to do this type of analysis for virus infections, but 3rd party software like rkill, adwcleaner (before being bought by malwarebytes) and even malwarebytes sort of made this type of investigation pointless the combo of those three software were good enough to track down like 99.9% of all infections in a quarter of the time this type of analysis required so i just stopped doing this type of analysis. thanks for making this video, gives me a place to start to familiarize myself with the common tools these days for proper virus removal now adwcleaner was mostly destroyed by malwarebytes, and malwarebytes itself no longer is half as good as it used to be... (especially now they've disabled virus removal on domain pcs)
RAM don't get infected, everytime you power off your computer the content of the RAM wipes out completely, so the temporary infection depends on what you have in you HDD/SSD running so formatting the SO will be enough to clean up everything.
You know... this might sound weird, but I keep having dreams about getting hacked, really badly and that I wouldn't be able to do anything unless I trace it down and confront the attacker/s, so it makes me feel useless, I just find it weird that not only have I been having dreams about someone trying to absolutely ruin my life specifically, but now without even peeping a word into my mic I get these videos recommended to me, I mean I thank you because this is knowledge I am more than happy to take in, especially after my own head is coming up with dumb weird scenarios in my sleep XD
I got dumpit but whenever I open it and input "y" - before I can hit enter, the computer goes blue screen and I get a "system service exception" error...
This is way too much to expect anyone but the most experienced to perform and get right. Never assume that malware always will be found running in memory at the time of your dump, it won't. My methods of cleanup, gathered over 31+ years, don't look at memory dumps. Not anymore. But for regular users, If you think you're hacked or constantly infected, visit me or take it to a professional. Sometimes it's just worth it to backup your data, virus scan the data and wipe the drive. I've removed malware that survived drive wipe, so even that can fail, unless you know how and where to look. Thanks for the video. Thought I knew every tool Passmark makes, evidently not.
I love how you went through changing a directory in the CLI... lol. I don't think the venn diagram of people who can't CD and people interested in memdump forensics overlap...
Everytime I run any program that trys to create a MEMORY DUMP FILE (Dumpit, FTX Imager) the computer crashes immediately. Any ideas how to get past this?
Please post a good link for the ftk imager. It leads me to fill out a form of which organization I belong to, and I have no such thing. The Volatility workbench keeps crashing on me. Also, is there a way to make vol.exe work with a .raw file like the one produced from DumpIt? or is there a way to transform the raw file to a .mem file? Thank you.
Hi! I'm a layman in this area and I just happened to watch this video because YT recommendations, and I really find it interesting. I would just like to ask, what's the next step? Like after finding out the malicious files, what do we do with them? Do we just delete them? Or is there another program to use to remove them? Thanks in advance!
In general, you want them gone. Best to use something that instantly overwrites the HDD space the files were on, like Eraser (Free opensource), to make sure they are completely gone. But depending on how many you find and what type, may be best to do a full re-imaging of the system (reinstall windows). And yeah.. fuck that other guy. Edit: Also make sure you change any important login credentials you have, but don't do that on the system you're troubleshooting before making sure the malicious files are gone!
@@babayega1717 Thank you so much! Also, I didn't think too much about what the other person said. I know that when it comes to these kinds of people, the more you engage with them, the more aggressive and unreasonable they get.
damn that intezer analyze is p good i'd actually recommend anyone to skip the grunt work and just do the analysis like that cause its free and you dont gotta worry that u missed something
I do this too and list the executable path. Then I sort on signature and check if there is a signature present and if it is valid. Found a lot of malware this way in the past. But for years I did not find anything with it but I also did not have any (suspected) infected systems
This video got me subbed to channel. Very informative. Thank you for this great content. I am aspiring to become cybersecurity expert and videos like these just keep me motivated on my way.
I seem to get a constant blue screen error every time I try to dump my memory regardless of whether Im using DumpIt.exe or FTK Images? Could I get some advice on what to do?
I prefer to use some of the older tools available and creating memory rumps directly from the command line if available on the operating system I am working with. Some of the newer software out there I have seen, tested or used is often times what I call internet locked, sometimes its a good idea not to let the "attacker" know what you are doing, while you are doing it. That being said, its an interesting newer tool. However you can get a lot of similar scanning and dump analyzation and process analyzation through other or built in means. I just don't like the entire, sign in and use my tool deal. Its always bugged me, hence I like to use other resources used by corporate security firms.
when running DumpIt i immediately get a BSOD and can’t move forward; the memory dump file it generates has 0 bytes of data in it; any clues on generating a memory dump via some other method?
Hi there, when I run the dumpit.exe file and enter "y"... blue windows screen appears with the message... "your device ran into an problem and it needs to restart". After restart I can see .raw file but its only 4 MB. What to do?
@@MrAircraft999 Did you set it to run on startup ? I've never used that DumpIt tool he used, but it's unlikely that a tool to dump memory would cause your PC to not boot on startup unless it does suspicious stuff.
Followed your advice and tried out Intezer... pretty cool stuff. found some things that seemed to stop executing once the dynamic analysis in the sand box begins... do you think that the malware could be aware that it is in a sandbox or do you think that intezer would pick up on those kinds of evasion techniques?
Hi, Upon running ANY sort of memory dump (via either method), I encounter a BSOD with a "system exception" error. What do I do now? Thanks so much in advance.
If your computer had a root kit, wouldn't you have to suspect that the memory dump is incomplete? After all, the program making the memory dump would be running on top of the root kit.
Dude, we're on Ring -2 malware now; I found out the hard way when my network was compromised in may 2021. It's only starting to be reported on recently... I suspect because cyber security is helpless in combating the really advanced attacks that have transitioned from being targeted to widespread botnets and credential harvesting.
The volatility workbench keeps soft crashing or locking at 52.04% during the Scanning Layer_name using PDBSignatureScanner any ideas what might cause this ?
Reykjavik, Weird. I also sub to Just Icelandic & he posted a vid today about the capitol of Iceland. Anywho, Always a pleasure learning new things from you.
The memory dump file itself is harmless. It's not going to do anything to your system. Even if you have a malicious .exe file, it will not do anything until you run it. Just copying the memdump.mem file and putting it on another system will not do anything and is safe. This file has no way of infecting a system.
@@Netsuko I think he meant that in order to copy the dump from the infected machine onto another, you have to plug in an external storage medium or connect to it by network, both of which carry the risk of an active infection spreading to another storage/system.
I know it's a hassle, but the safest way would probably be to turn off the system and boot into a live environment (any Linux Live USB/CD or HBCD_PE if you are uncomfortable with Linux). In an external OS, the malware is harmless, as it won't run on startup and/or would be completely incompatible with the external OS.
@@kaloyannikolov6849 You can probably just as well use bootable Malwarebytes removal tool (although I'm not sure if it will actually be 100% effective)
Hi, I really appreciate your amazing video. I have a question. So are these the type of malwares that AV can't detect? Because can't we boot in safe mode and plug in a USB with the antivirus installed and run a scan? Or are these too advanced for AV to detect as they can mimick real process?
Most mallware could be detected by AV. If if you are hacked - you may have to look at suspicious activity by yourself, because it may look quite normal - AV don't know is it ok for your programs to "call" some remote server in Iceland or not ;-)
This reminds me back when I was new to PCs(and probably a bit quicker wit). I could tell any process or program that didn't belong, find and manually delete and zero the section of the drive. Reverse engineer and edit already compiled programs in hex/text editors... A few too many bonks to the head, and the fact good habits lead to infections being edgecases, I just don't remember anymore. I'm well out of practice. I do remember, and still to this day, that I can touch something and it just work. So subconsciously I guess it's still there, but I can't tell or explain how I managed it. Even my passwords are just muscle memory, I don't know them most of the time. *_/back_in_my_day_*
when I try to use volatility, I get an error. Does this mean my system is compromised? I tried on a different system too. Same error. "Failed to obtain process list" even though it is windows. I also noticed I get a .raw when I use dumpit, whilst you get a .mem file
Then, you're out of luck. Although not impossible, It's unlikely that generic malware would be that sophisticated. It's more likely it would just prevent you from saving a dump file, in which case you could just boot into Linux, take the files you need to backup and start fresh. Tampering with ram dumps is a very fine line between breaking the computer and achieving what you want, as reading memory is something legitimate programs do sometimes, including Windows itself. Unless you target a specific tool, it's hard for a malware to catch and tamper with. For a malware developer, that would be a lot of work for not much reward. Another option that might work is booting that PC on Ubuntu/your favorite Linux distro and using the main drive as a Windows VM, in which case you should have access to memory and the malware not being able to do anything about it to hide.
Your HDD may have bad sectors or windows might be indexing your files or defragmenting your HDD or running a system scan in the background etc... HDDs just don't cut it as a operating system drive, for additional storage, sure, but I don't recommend installing windows 10/11 on a HDD.
@@GopadilipReddy Yes, you can get a low capacity SSD ( 60-80GB ) for windows and programs only, and leave the HDD for storage, like games, movies, pictures, large files etc. Or if money isn't an issue you can buy a large capacity SSD and keep everything on it for maximum performance.
Figure out what's causing it, use a usb key to boot into Linux and delete the files and/or dlls causing it. Though I'd say it's always best to start fresh if you had malware - there may always be some sneaky piece of code that you missed.
I'm not certain about these specific IOCs from the video, but anti-viruses are not as effective as many people think. But the trade off, at least, is that the exploits and artifacts that use anti-virus evasion techniques also makes it easier to find during forensics instead. Still a good trade off for hackers though, as forcing manual instead of automatic detection is a massive win for them.
6:08 a small tip: once you click the path, you can also type cmd right on it and then shift enter to open cmd on that path with administrator privileges
Hello and thank you for those well explained videos. I am just starting to learn commands and fix my windows by removing unwelcome stuff put in my system.
Yep, and BIOS/UEFI suppliers have basically made it as easy as possible. Happened in 2021 with my Alienware/Dell laptops, but every other big OEM is affected. They all made a small security advisory, acting like it wasn't serious, yet announced new UEFI/Bios updates for every system/platform going back a decade+. This was long known for Intel's AMT/ME but now there's so many other places they can flash (FROM THE FKN OS). Modern cyber security is an absolute farce and it's gotten so much worse in the past couple years.
@@Demoralized88 but new tpm chips that massively increase your security... if you pay for the service that use it, and realistically more than one of them
When I try to capture memory dump in windows 11 the whole system blue screens and crashes. I assume this might be due to windows 11 memory protection issue?
3:00 i get and error message: Failed to obtain process list. This could be due to selecting a wrong platform. But i`m ussing windows and i chose windows...
I recently had some type of malware that would force close browser upon typing "malw" "malware bytes" "antivirus". I had to reset and clean install windows again
Why you dump file and start analys them again with netstat.? You could run netstat command in CMD and start analys IPs and port and connexion that are established without dump file and use software and all that. Can you explain to me
I figured the ram thing out as a kid cause I got a ton of malware stuck on the home computer and I feared the butt whooping I was going to get. As admin I deleted a bunch of stuff that was taking up ram while the computer was idle. deleted a some vital stuff too like sound drivers but got the virus haha
Don't forget, there will be a live workshop event right after this video premiers on discord.tpsc.tech. Maybe we'll do something special and try to clean the system using your suggestions. Everyone is welcome to join. :) Links:
Volatility (Command Line Interface) -- For this tool, be sure to review the documentation within the -h command
www.volatilityfoundation.org/releases
Dump It -- Tool used to create dump files -- remember to rename your dump to .mem file extension
github.com/thimbleweed/All-In-USB/blob/master/utilities/DumpIt/DumpIt.exe?raw=true
Volatility GUI -- User Friendly Version of the utility tested
www.osforensics.com/tools/volatility-workbench.html
I am banned for the server, how would i contact back since its a false ban
@@uricot message one of the mods.
@@pcsecuritychannel how would i find one, i dont remember their tags or usernames
This comment should be pinned or added to the description.
Dude in 30 years ive not gotten a virus like this once how are people this bad that there scammed so often
I mean gmail has always had good scam block
About 10 years ago I use to do this remote. I had the best resolve rate, best single call rate, best customer care rate. I was fired for not doing more calls per day, because as far as they are concerned leaving a customer with some malware was ok as long as the system worked for a couple of weeks.
What an awful company, the fact that you cared about the customers is admirable
👍
Name that company
Thats crazy, sounds like they needed to reevaluate their procedures, are they still in business? Not looking for a name just curious if they could really establish a solid customer base. I would rather take one or two calls and ensure that their system was completely clean and working to its best ability, than lots of calls and customers that eventually walk away and find someone who does it properly.
@@lenseeing829 if they still exist that would be worthwhile
Very informative. I've been out of the computer space since 2002. I was once the go to guy to fix everyones computers, not anymore lol. Glad there is a channel like this to get me caught up.
Same here! I worked in the world of PCs when they were just beginning and up until about 2000 +/-. Now, I am way behind on everything. It's going to be some serious catch up work to get back up to speed. This channel may be my ticket to success.
6:00 You can also open cmd (or any executable really) in the current directory by just entering 'cmd' in the path bar
10:20 note that basically anything can be encrypted in RAM or anywhere
holy shit thanks for the cmd tip!
@@Erlisch1337 youre welcome!
thx for the easy cmd tip :D
no fucking way! I always shift-rightclick...
holy shit, what a gamechanger :D haha. So simple! Thanks!
felt the same way as you all when I first found out lol. you're welcome
I like the way you do not hide anything from and you do not assume we know anything about the subject. You did a great video as to why and how to do. Great job, please keep up the great work!
Great video! Volatility is such an amazing tool. I used Volatility 2 extensively but haven't had the opportunity to use 3 as much so far. The developers are all some of the smartest people I've ever met.
Nots so great then is what your trying to say?
@@trafficjon400 Man why you gotta be like that
@@trafficjon400 lay off the crack he said it's an amazing tool
I've had one very nasty virus where it would let me do everything BUT: open task manager, type in any word resembling 'virus' or 'antivirus' anywhere, or visit any site like avast. It was impressive really, how polite it was in letting me do work but not allowing me to get rid of it. :D
XDDDD WE CALLED IT BIGFOOT
must've been a pain playing games then seeing them crash and being unable to end it
@@lerebox drove me nuts, esp since I just got a used card off ebay and wasn't sure if it was the card. Tbh it still can crash games after 30mins or so but I gave up on diagnosing it :D
There is a high chance it would be a crypto miner that works on the background and doesn't allow you to stop it
@@quincho6949 It was supposedly Floxif.H, which Windows Defender labels as a 'well known threat that's automatically removed.' Not quite :
In the SANS FOR508 course, they advise running netscan over netstat as this scans through the entire memory dump looking for network activity, including from processes unlinked from the VAD tree. Netstat is limited to just the network activity that is easy to find. If a process is unlinked from the VAD tree netstat would not find it. The same applies with psscan vs pslist.
You're gonna have a bad time
@@ocreyy why
Instantly subbed after this video. Looking forward to diving deeper into this channel. I’m a gen X who started using computers with apple IIe. These days I consider myself very capable of avoiding infections in the first place but have never been able to be sure of that other than knowing my system is running well and being able to spot evidence well. So I believe. Lol
Will be trying out some of this stuff to see if I can find anything.
Excellent analysis! Would love to know more about the disinfection process!
as would we all
@@itsTyrion hey wondering if you or anyone else can help I just did exactly that and complete fresh start I download Norton and malwarebytes start searching, nothing comes back ever full scans. I disable everything that autoruns it seems to come from Microsoft onedrive and I can’t stop the files from autorunning but I seen them… it’s still trying to create files n such. It’s renamed n made Norton and malware bytes useless as the it tricks the scanners… cause ur rewrites them . Just tried to do Microsoft defender offline scan and gets to about 93% and shuts off… please anyone I could really use your help.
@@grill6411 well my buddy made the instillation media for me on his own desktop I lost all my files just saying f it and trying to get rid of this. I have a screenshot of it but I still don’t know how to remove it.. It says it did watsonreport so it followed me over I guess? Image:jokeyaklog/FargoodIcy/BagZoorWar/CanlabEgg.exe
Appname:Skydrive setup
Then it gave itself permissions… please if anyone could help. I already lost everything just trying to play my video games again.
@@grill6411 well maybe but I had the issue before, I think the usb was fine. I had a windows 10 disc instillation the computer came with. I think it’s possibly corrupted as well since I tried using fixmestick and left the disk in like a idiot.
I'd love to see more. Your content is always great, Leo.
You should make a follow up video on how to isolate malware like this! I think it would help a lot of people especially because most people would just wipe the system and reinstall windows. I think it would be good for the world to learn the basics of cyber security like that so they can isolate malware on their systems and save their precious data! Just a suggestion, love your video!
Id rather just wipe everything since i can redownload all of my games etc in like 2 hours
It'd be a better idea to educate people on how to make proper backups. Restoring a backup would take less than an hour for an average computer. Dumping the memory, going through processes and connections, doing 'forensics' basically, takes as long as it takes (days/weeks easily). And that is for people who have experience, the average user will never care to go that deep, nor will they care to fully remove malware.
In those cases it's probably better to have the user know how the malware got in (usually they downloaded/clicked something fishy) and restoring backups.
I agree that not everyone might be interested, but isolating and learning how that program works or is hurting my machine interests not only me but everyone who's trying to learn in their own time and outside institutions that sometimes don't even teach us how to properly dissect malware and understand how and through were they attacking the machine. This was a great video btw i will definitely check my fams old laptops
It comes with exposure to the windows file system. Run the Forensics on a "clean" install of windows get some screen shots and you will see the difference when you run into the compromised files. Yes I know that some of the files will be different due to the type of machine that you are working on but this will give you a baseline reference of the system files. Build your own toolbox and keep them on a USB. Some free some you have to pay for but very handy This is a start of reverse software engineering it comes over time on looking for what is bad and is compromising the machine. Dig deeper and learn how hackers are using system files to get their stuff to run on windows.
Hi man, that is a very smart idea😁
Just remember, the infected system will likely infect the USB stick as well - don't use the stick on another machine after it has been in an infected one, before you have reformatted it and copied the stuff back on it from *clean* system.
Great work, great channel
Interesting. I get pretty lost on newer stuff. I was certainly not very familiar with OS files, but back when I helped people with this sort of thing, I often got pretty lucky picking out processes that just "didn't look right".
Of course, you really knew you were on to something when it would just immediately restart after you shut it down or started open even more processes.
Lately I've been more interested in how people are hacked, and there can be a lot of parallels, but not much in the way of repair software, lol.
i did my time doing that, over time, you start to figure out what's normal and just has an odd name, and what's actually a problem. I just remember once in the early 2000's, someone swore by norton who showed their system was safe, and that means they had no virus. I installed pc-cillian and spybot and got over 5000 viruses on the computer.
That was the day that i learned that people trusting brands way to much, and started to try to difersify my toolset (except spybot: search and destroy, never found a good replacement before i stopped doing much comp repair for people)
for the api key generation, go to the main page, ones your signed in, hover over your account on top right corner, press account details, on the bottom, there is a generate key option, press it, then copy the key and enter it on the 'enter api key'
Excellent video and good to learn some tools here for my STEM students learning Cyber Security. We don’t teach hacking, but this looks like a good topic to put on next summers Cyber Camp. Thanks
Seriously ?
Downloading a third party software and you're not suspecting anything ?
I've searched for Dumpit, and the only "safe" download was from Comae and you must sign in and wait for check up.
It is actually SCARY AF to think that "professional" are actually using third party software with thinking about security breaching.
Someone tell me if I'm missing something.
Really? When I was in school for Cybersecurity/Cyber forensics we did a lot of white hat/ethical hacking and even some black hat stuff as part of the learning process. Maybe I'm just misunderstanding you, haha.
Im satisfied and slightly impressed how consisely you speak. An obvious good perk for creating informative videos that surprisingly many lack on youtube I believe.
Great tools you introduced. I know Windows, comfortable with the command line, and appreciate your thorough explanation of how to approach the troubleshoot. Some viruses will resist getting the dump off the computer anyway. Often I just restart with no network (cable unplugged/WiFi disabled) - that stops many viruses from completing their execution long enough to get the thumb drive to cooperate for a moment.
That's useful, but it's worth mentioning for all the non-technical people: you can do most of this on your system without creating a memory dump.
You mean like in the other two videos I’ve created one of which is in the description also referred to in this video.
@@pcsecuritychannel Precisely. My bad, this is the only video I've seen on your channel so far and I didn't read the description.
@@anatolydyatlov963 No worries, I was just being funny, welcome to the channel. :)
That was an amazing video, keep the awesome work!
As an IT professional 5 years into my career I am kinda bothered that this wasn't taught to me earlier. This is so useful!
I'm seriously lacking in malware removal for Windows 10. A lot of my tools worked great for Windows XP/7. Now that I found this channel, I'm grabbing all the tools mentioned! As of today, Volatility cannot be downloaded. On Brave, a new tab opens then closes immediately. I used Edge and it tries to download but says it can't securely.
@@yashwanthkumar2891 Thanks. I was able to download the file using Edge. For some unknown reason, Brave blocked the file from being downloaded.
Turn the shield off for the website
you can also write cmd in the path text box and hit enter it will open command prompt at your current location.
so this is excellent content, about 10 years ago i used to do this type of analysis for virus infections, but 3rd party software like rkill, adwcleaner (before being bought by malwarebytes) and even malwarebytes sort of made this type of investigation pointless
the combo of those three software were good enough to track down like 99.9% of all infections in a quarter of the time this type of analysis required so i just stopped doing this type of analysis. thanks for making this video, gives me a place to start to familiarize myself with the common tools these days for proper virus removal now adwcleaner was mostly destroyed by malwarebytes, and malwarebytes itself no longer is half as good as it used to be... (especially now they've disabled virus removal on domain pcs)
Thank you very much for this video. I got here randomly but I love how much insight this provided me.
at that point, man, I'm just formatting my drive and starting over lmao
Will not do anything for you if the ram is infected. That’s kind of the point
RAM don't get infected, everytime you power off your computer the content of the RAM wipes out completely, so the temporary infection depends on what you have in you HDD/SSD running so formatting the SO will be enough to clean up everything.
You know... this might sound weird, but I keep having dreams about getting hacked, really badly and that I wouldn't be able to do anything unless I trace it down and confront the attacker/s, so it makes me feel useless, I just find it weird that not only have I been having dreams about someone trying to absolutely ruin my life specifically, but now without even peeping a word into my mic I get these videos recommended to me, I mean I thank you because this is knowledge I am more than happy to take in, especially after my own head is coming up with dumb weird scenarios in my sleep XD
The matrix is watching you.
@@sicstar shhh don't tell him
If you're having dreams about being hacked it means you're afraid of losing something on your pc or afraid of it getting out.
Precognition
@@sicstar Oww, that's so what I was going to say... I just knew someone already had to have done it :D
awesome, thanks for your work and efforts Leo :)
I got dumpit but whenever I open it and input "y" - before I can hit enter, the computer goes blue screen and I get a "system service exception" error...
This is way too much to expect anyone but the most experienced to perform and get right.
Never assume that malware always will be found running in memory at the time of your dump, it won't.
My methods of cleanup, gathered over 31+ years, don't look at memory dumps. Not anymore.
But for regular users, If you think you're hacked or constantly infected, visit me or take it to a professional.
Sometimes it's just worth it to backup your data, virus scan the data and wipe the drive.
I've removed malware that survived drive wipe, so even that can fail, unless you know how and where to look.
Thanks for the video. Thought I knew every tool Passmark makes, evidently not.
Great video as always but why did you not include links to the software you used?
Like Dumpit and ftk
he has done that now
@@coreyfinn5532 Thanks.
I love how you went through changing a directory in the CLI... lol. I don't think the venn diagram of people who can't CD and people interested in memdump forensics overlap...
Everytime I run any program that trys to create a MEMORY DUMP FILE (Dumpit, FTX Imager) the computer crashes immediately. Any ideas how to get past this?
Same here. Shouldn't matter, but - are you running it via administrator?
This channel is at another level. :D
Please post a good link for the ftk imager. It leads me to fill out a form of which organization I belong to, and I have no such thing. The Volatility workbench keeps crashing on me. Also, is there a way to make vol.exe work with a .raw file like the one produced from DumpIt? or is there a way to transform the raw file to a .mem file?
Thank you.
All I say is ... ThankU!!! very imformative. Keep the good work going.
Hi! I'm a layman in this area and I just happened to watch this video because YT recommendations, and I really find it interesting.
I would just like to ask, what's the next step? Like after finding out the malicious files, what do we do with them? Do we just delete them? Or is there another program to use to remove them?
Thanks in advance!
No leave them and watch them ruin your system.
Thanks in advance!
In general, you want them gone. Best to use something that instantly overwrites the HDD space the files were on, like Eraser (Free opensource), to make sure they are completely gone. But depending on how many you find and what type, may be best to do a full re-imaging of the system (reinstall windows). And yeah.. fuck that other guy.
Edit: Also make sure you change any important login credentials you have, but don't do that on the system you're troubleshooting before making sure the malicious files are gone!
@@babayega1717 Thank you so much! Also, I didn't think too much about what the other person said. I know that when it comes to these kinds of people, the more you engage with them, the more aggressive and unreasonable they get.
damn that intezer analyze is p good i'd actually recommend anyone to skip the grunt work and just do the analysis like that cause its free and you dont gotta worry that u missed something
What about just using Process Explorer with the VirusTotal feature enabled?
It checks the hash of everything running in ram.
I do this too and list the executable path.
Then I sort on signature and check if there is a signature present and if it is valid. Found a lot of malware this way in the past. But for years I did not find anything with it but I also did not have any (suspected) infected systems
Using certain tools in pretty sure you can avoid the virus virustotal hash list unfortunately..
This video got me subbed to channel. Very informative. Thank you for this great content. I am aspiring to become cybersecurity expert and videos like these just keep me motivated on my way.
I ran this dump it app and ran it got a blue screen instantly 😭
Great video thanks Leo!
I seem to get a constant blue screen error every time I try to dump my memory regardless of whether Im using DumpIt.exe or FTK Images? Could I get some advice on what to do?
Same
Your RAM was maybe failing?
I prefer to use some of the older tools available and creating memory rumps directly from the command line if available on the operating system I am working with. Some of the newer software out there I have seen, tested or used is often times what I call internet locked, sometimes its a good idea not to let the "attacker" know what you are doing, while you are doing it. That being said, its an interesting newer tool. However you can get a lot of similar scanning and dump analyzation and process analyzation through other or built in means. I just don't like the entire, sign in and use my tool deal. Its always bugged me, hence I like to use other resources used by corporate security firms.
Once these problems are identified, how are they solved?
when running DumpIt i immediately get a BSOD and can’t move forward; the memory dump file it generates has 0 bytes of data in it; any clues on generating a memory dump via some other method?
Hi there, when I run the dumpit.exe file and enter "y"... blue windows screen appears with the message... "your device ran into an problem and it needs to restart". After restart I can see .raw file but its only 4 MB. What to do?
You might be running an unsupported version of Windows for that tool, or you're running some software that conflicts with it.
Yep and now my computer wont boot anymore
@@MrAircraft999 Did you set it to run on startup ? I've never used that DumpIt tool he used, but it's unlikely that a tool to dump memory would cause your PC to not boot on startup unless it does suspicious stuff.
@@Some1_Some1_Some1_Some1 i didnt, now even when i try safemode i get critical process died bsod when i try to run it
DumpIt and the FTK Imager gave me an BSOD, but Magnet DumpIt from MagnetForensics did the job, thanks for the good video
This is really helpful!
Making videos at 12:40 AM?!
What a savage!!!!!
Followed your advice and tried out Intezer... pretty cool stuff. found some things that seemed to stop executing once the dynamic analysis in the sand box begins... do you think that the malware could be aware that it is in a sandbox or do you think that intezer would pick up on those kinds of evasion techniques?
My same issue
Hi,
Upon running ANY sort of memory dump (via either method), I encounter a BSOD with a "system exception" error.
What do I do now? Thanks so much in advance.
it gives me the error.. failed to obtain processlist this could be to selection wrong platform? XD im on windows and selected windows.
same also
Excellent ! this is exactly what I am looking for
Kindly do more such related videos !
If your computer had a root kit, wouldn't you have to suspect that the memory dump is incomplete? After all, the program making the memory dump would be running on top of the root kit.
Dude, we're on Ring -2 malware now; I found out the hard way when my network was compromised in may 2021. It's only starting to be reported on recently... I suspect because cyber security is helpless in combating the really advanced attacks that have transitioned from being targeted to widespread botnets and credential harvesting.
Thank You, I will be learning this tool for sure.
You not gonna show how to remove it ?
Best 14min Ive spent all month. Thank you!
Imho it is crazy to upload your data to some service to analyze them :P
The volatility workbench keeps soft crashing or locking at 52.04% during the Scanning Layer_name using PDBSignatureScanner any ideas what might cause this ?
Sometimes DumpIt fails to capture memory dumps in a way that Volatility can understand. You might try using a different program, like FTK Imager.
Thanks for the info, I will refer back to this for reference.👍
But how do you remove that mallware or close that unwanted connection?
Reykjavik, Weird. I also sub to Just Icelandic & he posted a vid today about the capitol of Iceland. Anywho, Always a pleasure learning new things from you.
Hi, how can i safely transfer the memory dump to another machine withou risking contamination? Thank you for sharing such valuebla knowledge!
The memory dump file itself is harmless. It's not going to do anything to your system. Even if you have a malicious .exe file, it will not do anything until you run it. Just copying the memdump.mem file and putting it on another system will not do anything and is safe. This file has no way of infecting a system.
@@Netsuko I think he meant that in order to copy the dump from the infected machine onto another, you have to plug in an external storage medium or connect to it by network, both of which carry the risk of an active infection spreading to another storage/system.
I know it's a hassle, but the safest way would probably be to turn off the system and boot into a live environment (any Linux Live USB/CD or HBCD_PE if you are uncomfortable with Linux). In an external OS, the malware is harmless, as it won't run on startup and/or would be completely incompatible with the external OS.
@@kaloyannikolov6849 You can probably just as well use bootable Malwarebytes removal tool (although I'm not sure if it will actually be 100% effective)
Volatility didn't seem to like the file DumpIt generated, so I used FTK Imager and it worked perfectly. Thanks.
Hi, I really appreciate your amazing video. I have a question.
So are these the type of malwares that AV can't detect? Because can't we boot in safe mode and plug in a USB with the antivirus installed and run a scan? Or are these too advanced for AV to detect as they can mimick real process?
Most mallware could be detected by AV. If if you are hacked - you may have to look at suspicious activity by yourself, because it may look quite normal - AV don't know is it ok for your programs to "call" some remote server in Iceland or not ;-)
It's a game of whack a mole.
Some moles are not whacked yet, and there are always moles popping up.
This reminds me back when I was new to PCs(and probably a bit quicker wit).
I could tell any process or program that didn't belong, find and manually delete and zero the section of the drive.
Reverse engineer and edit already compiled programs in hex/text editors...
A few too many bonks to the head, and the fact good habits lead to infections being edgecases, I just don't remember anymore.
I'm well out of practice.
I do remember, and still to this day, that I can touch something and it just work.
So subconsciously I guess it's still there, but I can't tell or explain how I managed it.
Even my passwords are just muscle memory, I don't know them most of the time.
*_/back_in_my_day_*
I'm only going to say, it wasn't THAT heavily infected if you were able to run several tools on it.
Volatility gui just exits without me being able to see what caused it after scanning processes! How do I fix this?
when I try to use volatility, I get an error. Does this mean my system is compromised?
I tried on a different system too. Same error. "Failed to obtain process list" even though it is windows.
I also noticed I get a .raw when I use dumpit, whilst you get a .mem file
Randomly clicked on this cause it was recommended.. watched for fun.. now I'm super paranoid
dumpit bluescreened my pc and fucked up my ram. thank you!
Brilliant video!! Thank you, so much!
What if the malicious program recognized what you were trying to do and tampered with that ram dump file, and you didnt have another PC?
Then, you're out of luck. Although not impossible, It's unlikely that generic malware would be that sophisticated. It's more likely it would just prevent you from saving a dump file, in which case you could just boot into Linux, take the files you need to backup and start fresh.
Tampering with ram dumps is a very fine line between breaking the computer and achieving what you want, as reading memory is something legitimate programs do sometimes, including Windows itself. Unless you target a specific tool, it's hard for a malware to catch and tamper with. For a malware developer, that would be a lot of work for not much reward.
Another option that might work is booting that PC on Ubuntu/your favorite Linux distro and using the main drive as a Windows VM, in which case you should have access to memory and the malware not being able to do anything about it to hide.
@@Some1_Some1_Some1_Some1 if root kit is present then install your own root kit and remove the first one.
I never knew I was already a computer forensic technician
Hi can you resolve Disk 100% bug in Win10 i3 running with HDD. I tried every method from google. No luck
Your HDD may have bad sectors or windows might be indexing your files or defragmenting your HDD or running a system scan in the background etc... HDDs just don't cut it as a operating system drive, for additional storage, sure, but I don't recommend installing windows 10/11 on a HDD.
@@ryomario90 what is the solution for it. Should instal SSD
@@GopadilipReddy It really would help to do so, yeah.
@@RYANTHORNTONCALL thank you. Is there any other solution or this is the only
@@GopadilipReddy Yes, you can get a low capacity SSD ( 60-80GB ) for windows and programs only, and leave the HDD for storage, like games, movies, pictures, large files etc. Or if money isn't an issue you can buy a large capacity SSD and keep everything on it for maximum performance.
Awesome video please I would love to watch more videos like that 👍
So, is there a recommended way to clean all this malware? Or is it very much situational?
Malwarebytes should do the trick...
Figure out what's causing it, use a usb key to boot into Linux and delete the files and/or dlls causing it.
Though I'd say it's always best to start fresh if you had malware - there may always be some sneaky piece of code that you missed.
Nuke your drive
I like how you glazed right over the autokms running without even mentioning it lol
What AutoKMS... I saw nothing :)
Thank you for using your IT-superpowers for good. One question though: wouldn't an antivirus program have catched any of this?
I'm not certain about these specific IOCs from the video, but anti-viruses are not as effective as many people think. But the trade off, at least, is that the exploits and artifacts that use anti-virus evasion techniques also makes it easier to find during forensics instead. Still a good trade off for hackers though, as forcing manual instead of automatic detection is a massive win for them.
Dumpit gave my Win11 a bluescreen and Volatility workbench won't open on Win11. If I open anyway it just flashes a cmd prompt window and closes.
6:08 a small tip: once you click the path, you can also type cmd right on it and then shift enter to open cmd on that path with administrator privileges
Damn... the Shift-Enter giving Admin mode is something I didn't know ... thanks!
Shift-Enter did not give me admin in Windows 11, maybe I am doing something wrong though.
@@xkorv Sorry, I have windows 10.
@@FernandoFischer6048 Hi, I just tried Shift+Enter, but it keeps giving me a regular command prompt... I am on Win10...
Best tip EVER
Update: No, it does not work with admin privileges...
This would have been really cool to know during my 1st year of Cyber Security and Forensics
Hacked? Good luck, I'm behind 7 Boxxies!
Hello and thank you for those well explained videos. I am just starting to learn commands and fix my windows by removing unwelcome stuff put in my system.
Firmware viruses are practically impossible to remove. The CPU, for example, contains several hidden filesystems.
Yep, and BIOS/UEFI suppliers have basically made it as easy as possible. Happened in 2021 with my Alienware/Dell laptops, but every other big OEM is affected. They all made a small security advisory, acting like it wasn't serious, yet announced new UEFI/Bios updates for every system/platform going back a decade+. This was long known for Intel's AMT/ME but now there's so many other places they can flash (FROM THE FKN OS). Modern cyber security is an absolute farce and it's gotten so much worse in the past couple years.
@@Demoralized88 but new tpm chips that massively increase your security... if you pay for the service that use it, and realistically more than one of them
When I try to capture memory dump in windows 11 the whole system blue screens and crashes. I assume this might be due to windows 11 memory protection issue?
as a linux user we dont have to deal with this type of pain
when I tried either memdump or FTK imager I get a blue screen and computer has to reboot...any ideas?
Nah I can’t be hacked, I’m running Qubes OS on my system running Qubes OS
*Laughs in OpenBSD vm running in a minimal Gentoo VM inside of QubesOS*
@@FirstnameLastname-we6dh more based than him😎
based🥷
great information, Please keep up the videos, excellent quality and presentation ❤
Its not hacked, its just windows lol
volatility says failed to obtain process list, may due to a wrong platform...The thing is that i have windows and checked it...Any reccomendations?
Imagine running Windows and not thinking you have spyware installed 🤔
3:00
i get and error message: Failed to obtain process list. This could be due to selecting a wrong platform. But i`m ussing windows and i chose windows...
This was super interesting. Thanks!
I recently had some type of malware that would force close browser upon typing "malw" "malware bytes" "antivirus".
I had to reset and clean install windows again
Why you dump file and start analys them again with netstat.?
You could run netstat command in CMD and start analys IPs and port and connexion that are established without dump file and use software and all that.
Can you explain to me
I figured the ram thing out as a kid cause I got a ton of malware stuck on the home computer and I feared the butt whooping I was going to get. As admin I deleted a bunch of stuff that was taking up ram while the computer was idle. deleted a some vital stuff too like sound drivers but got the virus haha