There are several techniques to detect malware infection, one of them is analysing the
content of the volatile memory. (Memory forensics). A lot of different tools are available
to acquire and analyse memory dump, however finding the artifacts requires a human
analyser. Operation system attributes can be these artifacts, which can denote wether the
system compromised. In case of having a large amount of malware samples to analyse,
these tools should be automated in order to help the work of the human expert.
In my thesis I would like to present the state of the art memory forensics tools, which are
capable of malware analysis. First of all, I will present a method to automatize and further
improve the functions in a choosen memory analyser, so it can be applied to analyse great
malware campaigns. The expanded analyser will be tested in a virtual enviroment designed
especially for memory forensic, in order to evaluate the detection rate of the algorithms
for several malware families. Furthermore these tools have an essential gap, they can’t
interpret invalid pages, which limit the analysis to the physical memory. In this thesis, I’ll
extend the address translation logic, allow us to restore the entire virtual memory for each
process. Finally, I will try to detect a well known malware with checking it’s page types,
so as to present a novel method in specific malware detection.