Comments on: Quick Incident Response Techniques IV http://www.cutawaysecurity.com/blog/archives/575 Cutaway's Observations, Opinions, Rants, Raves, Tantrums, and Tirades Tue, 16 Feb 2010 06:48:31 +0000 http://wordpress.org/?v=2.8.4 hourly 1 By: Jamie Butler http://www.cutawaysecurity.com/blog/archives/575/comment-page-1#comment-31129 Jamie Butler Sat, 16 May 2009 00:33:47 +0000 http://www.cutawaysecurity.com/blog/?p=575#comment-31129 Thanks for the post(s) using Memoryze and Audit Viewer. Glad you find the tools useful. Remember, Memoryze can also run against the remote memory that F-Response exposes so you do not have to acquire the image first. Interesting side note, F-Response's binary is obfuscated on disk. When you acquire it from memory, it is not. Although this tidbit is not interesting on legitimate processes, it is useful when looking at packed malware. Jamie Thanks for the post(s) using Memoryze and Audit Viewer. Glad you find the tools useful. Remember, Memoryze can also run against the remote memory that F-Response exposes so you do not have to acquire the image first.

Interesting side note, F-Response’s binary is obfuscated on disk. When you acquire it from memory, it is not. Although this tidbit is not interesting on legitimate processes, it is useful when looking at packed malware.

Jamie

]]>