Comparative analysis of operational malware Dynamic Link Library (DLL) injection live response vs. memory image

  • Author(s) / Creator(s)
  • One advanced tactic used to deliver a malware payload to a target operating system is Dynamic Link Library (DLL) injection, which has the capabilities to bypass many security settings. In cases of compromise involving DLL injection, volatile memory contains critical evidence, as these attacks typically leave no footprint on the hard disk. In this paper, we describe the results of our comparative analysis between a particular live response utility, Redline, and a particular memory image utility, Volatility, in cases where malware is using DLL injection. We show that Redline is significantly limited, by comparison with Volatility, in its ability to collect relevant evidence from memory. Based upon these observations, we draw general conclusions about the advantages of memory image analysis over live response.

  • Date created
  • Subjects / Keywords
  • Type of Item
    Research Material
  • DOI
  • License
    Attribution-NonCommercial 4.0 International