Is your PC hacked? RAM Forensics with Volatility

Don't forget, there will be a live workshop event right after this video premiers on discord.tpsc.tech/. Maybe we'll do something special and try to clean the system using your suggestions. Everyone is welcome to join. :) Links: Volatility (Command Line Interface) -- For this tool, be sure to review the documentation within the -h command www.volatilityfoundation.org/releases Dump It -- Tool used to create dump files -- remember to rename your dump to .mem file extension github.com/thimbleweed/All-In-USB/blob/master/util… Volatility GUI -- User Friendly Version of the utility tested www.osforensics.com/tools/volatility-workbench.htm…

About 10 years ago I use to do this remote. I had the best resolve rate, best single call rate, best customer care rate. I was fired for not doing more calls per day, because as far as they are concerned leaving a customer with some malware was ok as long as the system worked for a couple of weeks.

Great video! Volatility is such an amazing tool. I used Volatility 2 extensively but haven't had the opportunity to use 3 as much so far. The developers are all some of the smartest people I've ever met.

I've had one very nasty virus where it would let me do everything BUT: open task manager, type in any word resembling 'virus' or 'antivirus' anywhere, or visit any site like avast. It was impressive really, how polite it was in letting me do work but not allowing me to get rid of it. :D

I like the way you do not hide anything from and you do not assume we know anything about the subject. You did a great video as to why and how to do. Great job, please keep up the great work!

Very informative. I've been out of the computer space since 2002. I was once the go to guy to fix everyones computers, not anymore lol. Glad there is a channel like this to get me caught up.

Instantly subbed after this video. Looking forward to diving deeper into this channel. I’m a gen X who started using computers with apple IIe. These days I consider myself very capable of avoiding infections in the first place but have never been able to be sure of that other than knowing my system is running well and being able to spot evidence well. So I believe. Lol Will be trying out some of this stuff to see if I can find anything.

6:00 You can also open cmd (or any executable really) in the current directory by just entering 'cmd' in the path bar 10:20 note that basically anything can be encrypted in RAM or anywhere

I'd love to see more. Your content is always great, Leo.

Great tools you introduced. I know Windows, comfortable with the command line, and appreciate your thorough explanation of how to approach the troubleshoot. Some viruses will resist getting the dump off the computer anyway. Often I just restart with no network (cable unplugged/WiFi disabled) - that stops many viruses from completing their execution long enough to get the thumb drive to cooperate for a moment.

Interesting. I get pretty lost on newer stuff. I was certainly not very familiar with OS files, but back when I helped people with this sort of thing, I often got pretty lucky picking out processes that just "didn't look right". Of course, you really knew you were on to something when it would just immediately restart after you shut it down or started open even more processes. Lately I've been more interested in how people are hacked, and there can be a lot of parallels, but not much in the way of repair software, lol.

Im satisfied and slightly impressed how consisely you speak. An obvious good perk for creating informative videos that surprisingly many lack on youtube I believe.

Excellent analysis! Would love to know more about the disinfection process!

In the SANS FOR508 course, they advise running netscan over netstat as this scans through the entire memory dump looking for network activity, including from processes unlinked from the VAD tree. Netstat is limited to just the network activity that is easy to find. If a process is unlinked from the VAD tree netstat would not find it. The same applies with psscan vs pslist.

Thank you very much for this video. I got here randomly but I love how much insight this provided me.

That was an amazing video, keep the awesome work!

for the api key generation, go to the main page, ones your signed in, hover over your account on top right corner, press account details, on the bottom, there is a generate key option, press it, then copy the key and enter it on the 'enter api key'

Excellent video and good to learn some tools here for my STEM students learning Cyber Security. We don’t teach hacking, but this looks like a good topic to put on next summers Cyber Camp. Thanks

awesome, thanks for your work and efforts Leo :)

Excellent ! this is exactly what I am looking for Kindly do more such related videos !