WDavid404
commented
7 months ago Redline
Volatility take time. Redline will essentially give an analyst a 30,000-foot view (10 kilometers high view) of a Windows, Linux, or macOS endpoint. Using Redline, you can analyze a potentially compromised endpoint through the memory dump, including various file structures. With a nice-looking GUI (Graphical User Interface) - you can easily find the signs of malicious activities.
https://fireeye.market/apps/211364 Redline®, FireEye’s premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.
Volatility
Volatility is a free memory forensics tool developed and maintained by Volatility Foundation, commonly used by malware and SOC analysts within a blue team or as part of their detection and monitoring solutions. Volatility is written in Python and is made up of python plugins and modules designed as a plug-and-play way of analyzing memory dumps. Volatility是一款非常强大的内存取证工具,它是由来自全世界的数百位知名安全专家所合作开发的一套工具, 可以用于windows、linux、mac osx和android等系统内存取证,在应急响应、系统分析、取证领域有着举足轻重的地位。
参考: https://zhuanlan.zhihu.com/p/608796920 https://zhuanlan.zhihu.com/p/556820772