Abstract image of a woman sitting on books and studying on a laptop

Memory Forensics

Download as PPTX, PDF
Anshul Tayal, profile picture
Anshul Tayal

The document outlines a session on memory forensics, describing its significance in the context of live cybercrime analysis, particularly highlighting the examination of volatile memory. It details the process of memory forensics, including data acquisition, analysis, and evidence recovery, while identifying specific tools for Windows and Linux platforms. Various data formats used in memory acquisition are also summarized, emphasizing the need for effective forensic techniques in combating cyber threats.

Education
Related topics:
Digital Forensics Cyber-Security
1 of 12
Downloaded 10 times
1
2
Most read
3
4
Most read
5
6
Most read
7
8
9
10
11
12
“Memory Forensics ” Session By: Anshul Tayal
Outline • Introduction • What can be found in Memory • Overview of the process • Tools & Techniques • Various Formats • Memory Forensics in Context of Windows Device • Memory Forensics in Context of Linux Device • Hardware Approaches for Memory Forensics • Little discussion on the deference between Windows and Linux Forensics 2
Introduction Digital analysis can be broadly studied under two headings a) Static or Dead analysis where, the target devices that are to be analyzed are shut down and b) Live analysis where, the system stays in the boot mode and is kept alive. The live analysis has become a need with the increase of cyber crime because individuals have started deleting the contents as soon as possible without saving the contents on the hard drive. Hence in order to retrieve more valuable information the forensic analyst needs to examine the volatile memory. 3
Introduction What is Memory Forensics? 4 The science of examining the volatile or live memory is referred to as Memory Forensics.
What can be found in Memory? What can be found in the Main Memory? a) Running Processes. b) Running Threads. c) Password/Keys other related information. d) Live registry hives (in case of windows only). e) Malware presence f) Malicious/ Suspicious activities g) Open Connections to the network In fact anything that processor works upon… 5
Overview of the process Memory Forensics can be studied broadly under three categories: a) Acquisition of memory b) Analyzing the acquired data c) Recovering the evidence 6 Acquisition Analyze Evidences
Tools & Techniques Tools used for the acquisition of the Memory a) For Windows Platform • Belkasoft Live RAM Capturer • FTK Imager • OSForensics • MadiantMemoryz • DumpIt etc. b) For Linux Platform • LiME (Linux Memory Extractor) • Second Look • Fmem etc. 7
Tools & Techniques Tools used for Analyzing the acquired data a) For Windows Platform • Belkasoft Evidence Center • wxHexEditor • Autopsy • Volatility * b) For Linux Platform • Volatility * • The Sleuth Kit (TSK) etc. 8
Various Formats Tools used for the acquisition of the Memory a) Raw Dump (.img/.dd) b) Windows Crash dump format (.bin) c) Memory dump (.mem) d) Commercial Tools Formats • Encase (.E01) • VMware (.Vmem) • FastDump Pro (hpak) 9
Demonstrations 10
11
Memory Forensics

More Related Content

PPTX
Memory forensics.pptx
9905234521
 
PDF
Super Easy Memory Forensics
IIJ
 
PPTX
Memory forensics
Sunil Kumar
 
PPTX
Digital forensics
vishnuv43
 
PDF
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
PPTX
Ethernet
sijil chacko
 
PPTX
cyber security and forensic tools
Sonu Sunaliya
 
PPTX
Autopsy Digital forensics tool
Sreekanth Narendran
 
Memory forensics.pptx
9905234521
 
Super Easy Memory Forensics
IIJ
 
Memory forensics
Sunil Kumar
 
Digital forensics
vishnuv43
 
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Ethernet
sijil chacko
 
cyber security and forensic tools
Sonu Sunaliya
 
Autopsy Digital forensics tool
Sreekanth Narendran
 

What's hot (20)

PDF
Memory Forensics
n|u - The Open Security Community
 
PPTX
Network Forensics Intro
Jake K.
 
PDF
Cyber Forensics Module 1
Manu Mathew Cherian
 
PPTX
Mobile Forensics
primeteacher32
 
PPTX
Computer forensics
Ramesh Ogania
 
PPTX
Digital Forensics best practices with the use of open source tools and admiss...
Sagar Rahurkar
 
PPTX
Mobile Forensics
abdullah roomi
 
PDF
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
ODT
Operating System Forensics
ArunJS5
 
PDF
Next Generation Memory Forensics
Andrew Case
 
PPT
computer forensics
Akhil Kumar
 
PPT
Windows forensic artifacts
n|u - The Open Security Community
 
PPTX
Network Forensics
primeteacher32
 
PPTX
Open source network forensics and advanced pcap analysis
GTKlondike
 
PPTX
Digital Forensics
Mithileysh Sathiyanarayanan
 
PPTX
Computer forensic ppt
Priya Manik
 
PPT
Linux forensics
Santosh Khadsare
 
PPTX
Virtual Machine Forensics
primeteacher32
 
PPTX
Digital forensics
yash sawarkar
 
PPTX
Computer forensics toolkit
Milap Oza
 
Memory Forensics
n|u - The Open Security Community
 
Network Forensics Intro
Jake K.
 
Cyber Forensics Module 1
Manu Mathew Cherian
 
Mobile Forensics
primeteacher32
 
Computer forensics
Ramesh Ogania
 
Digital Forensics best practices with the use of open source tools and admiss...
Sagar Rahurkar
 
Mobile Forensics
abdullah roomi
 
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
Operating System Forensics
ArunJS5
 
Next Generation Memory Forensics
Andrew Case
 
computer forensics
Akhil Kumar
 
Windows forensic artifacts
n|u - The Open Security Community
 
Network Forensics
primeteacher32
 
Open source network forensics and advanced pcap analysis
GTKlondike
 
Digital Forensics
Mithileysh Sathiyanarayanan
 
Computer forensic ppt
Priya Manik
 
Linux forensics
Santosh Khadsare
 
Virtual Machine Forensics
primeteacher32
 
Digital forensics
yash sawarkar
 
Computer forensics toolkit
Milap Oza
 
Ad

Similar to Memory Forensics (20)

DOCX
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
PPTX
Memory Forensic: Investigating Memory Artefact
Satria Ady Pradana
 
PPTX
Memory Forensic - Investigating Memory Artefact
Satria Ady Pradana
 
PPTX
Cybersecurity and Digital Forensics.pptx
RyujiChanneru
 
PPT
Preserving and recovering digital evidence
Online
 
PPT
Electornic evidence collection
Fakrul Alam
 
PPTX
DracOs Forensic Flavor
Satria Ady Pradana
 
PPTX
Dracos forensic flavor
Satria Ady Pradana
 
PDF
the Cyber - Forensics - Lab - Manual . pdf
22cc005
 
PPT
3871778
Christiaan Beek
 
PPT
Digital forensics
Nicholas Davis
 
PPT
Digital Forensics
Nicholas Davis
 
PDF
You suck at Memory Analysis
Francisco Ribeiro
 
PPTX
unit 5 understanding computer forensics.pptx
Dimple Relekar
 
PPT
Computer forensics
Shreya Singireddy
 
PDF
Modern Reconnaissance Phase on APT - protection layer
Shakacon
 
PPTX
Preserving cyber evidence in forensics investigations
olumidelawal2
 
PPTX
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
PPT
Basics of Digital Forensics, techniques and tools
madhulikarsit
 
PPT
DigitalForensicsDigitalForensics.pptDigitalForensics.ppt
MoshoodKareemOlawale
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Memory Forensic: Investigating Memory Artefact
Satria Ady Pradana
 
Memory Forensic - Investigating Memory Artefact
Satria Ady Pradana
 
Cybersecurity and Digital Forensics.pptx
RyujiChanneru
 
Preserving and recovering digital evidence
Online
 
Electornic evidence collection
Fakrul Alam
 
DracOs Forensic Flavor
Satria Ady Pradana
 
Dracos forensic flavor
Satria Ady Pradana
 
the Cyber - Forensics - Lab - Manual . pdf
22cc005
 
3871778
Christiaan Beek
 
Digital forensics
Nicholas Davis
 
Digital Forensics
Nicholas Davis
 
You suck at Memory Analysis
Francisco Ribeiro
 
unit 5 understanding computer forensics.pptx
Dimple Relekar
 
Computer forensics
Shreya Singireddy
 
Modern Reconnaissance Phase on APT - protection layer
Shakacon
 
Preserving cyber evidence in forensics investigations
olumidelawal2
 
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
Basics of Digital Forensics, techniques and tools
madhulikarsit
 
DigitalForensicsDigitalForensics.pptDigitalForensics.ppt
MoshoodKareemOlawale
 
Ad

Recently uploaded (20)

PDF
Chevening Scholarship Application and Interview Preparation Guide
Leneka Rhoden
 
PDF
anganwadi services for the b.sc nursing and GNM
shaila55
 
PDF
Myanmar Dental Journal, The Journal of the Myanmar Dental Association (2013).pdf
Nay Aung
 
PDF
fundamentals-of-heat-and-mass-transfer-6th-edition_incropera.pdf
gloryjsingh
 
PPTX
4. Diagnosis and treatment planning in RPD.pptx
rakshasb
 
PDF
0520_Scheme_of_Work_(for_examination_from_2021).pdf
SankariNandakumar
 
PDF
Mucosal Drug Delivery system_NDDS_BPHARMACY__SEM VII_PCI Syllabus.pdf
SabsKhan1
 
PDF
Civil Department's presentation Your score increases as you pick a category
OperaVill
 
PDF
Nurlina - Urban Planner Portfolio (english ver)
Nurlina Y.
 
PPTX
PLASMA AND ITS CONSTITUENTS 123.pptx
sweet2th18
 
PDF
Horaris_Grups_25-26_Definitiu_15_07_25.pdf
rpujol11
 
PDF
Literature_Review_methods_ BRACU_MKT426 course material
mokoto4834
 
PPTX
UNIT_2-__LIPIDS[1].pptx.................
Akanksha Kotangale
 
PPTX
Integrated Management of Neonatal and Childhood Illnesses (IMNCI) – Unit IV |...
RAKESH SAJJAN
 
PDF
Journal of Dental Science - UDMY (2022).pdf
Nay Aung
 
PPTX
principlesofmanagementsem1slides-131211060335-phpapp01 (1).ppt
Jeyasunitha
 
PDF
Lecture on Viruses: Structure, Classification, Replication, Effects on Cells,...
Miraj Khan
 
PDF
Journal of Dental Science - UDMY (2020).pdf
Nay Aung
 
PPT
REGULATION OF RESPIRATION lecture note 200L [Autosaved]-1-1.ppt
muktarabdulwahab7
 
PDF
Disorder of Endocrine system (1).pdfyyhyyyy
[email protected]
 
Chevening Scholarship Application and Interview Preparation Guide
Leneka Rhoden
 
anganwadi services for the b.sc nursing and GNM
shaila55
 
Myanmar Dental Journal, The Journal of the Myanmar Dental Association (2013).pdf
Nay Aung
 
fundamentals-of-heat-and-mass-transfer-6th-edition_incropera.pdf
gloryjsingh
 
4. Diagnosis and treatment planning in RPD.pptx
rakshasb
 
0520_Scheme_of_Work_(for_examination_from_2021).pdf
SankariNandakumar
 
Mucosal Drug Delivery system_NDDS_BPHARMACY__SEM VII_PCI Syllabus.pdf
SabsKhan1
 
Civil Department's presentation Your score increases as you pick a category
OperaVill
 
Nurlina - Urban Planner Portfolio (english ver)
Nurlina Y.
 
PLASMA AND ITS CONSTITUENTS 123.pptx
sweet2th18
 
Horaris_Grups_25-26_Definitiu_15_07_25.pdf
rpujol11
 
Literature_Review_methods_ BRACU_MKT426 course material
mokoto4834
 
UNIT_2-__LIPIDS[1].pptx.................
Akanksha Kotangale
 
Integrated Management of Neonatal and Childhood Illnesses (IMNCI) – Unit IV |...
RAKESH SAJJAN
 
Journal of Dental Science - UDMY (2022).pdf
Nay Aung
 
principlesofmanagementsem1slides-131211060335-phpapp01 (1).ppt
Jeyasunitha
 
Lecture on Viruses: Structure, Classification, Replication, Effects on Cells,...
Miraj Khan
 
Journal of Dental Science - UDMY (2020).pdf
Nay Aung
 
REGULATION OF RESPIRATION lecture note 200L [Autosaved]-1-1.ppt
muktarabdulwahab7
 
Disorder of Endocrine system (1).pdfyyhyyyy
[email protected]
 

Memory Forensics

  • 2. Outline • Introduction • What can be found in Memory • Overview of the process • Tools & Techniques • Various Formats • Memory Forensics in Context of Windows Device • Memory Forensics in Context of Linux Device • Hardware Approaches for Memory Forensics • Little discussion on the deference between Windows and Linux Forensics 2
  • 3. Introduction Digital analysis can be broadly studied under two headings a) Static or Dead analysis where, the target devices that are to be analyzed are shut down and b) Live analysis where, the system stays in the boot mode and is kept alive. The live analysis has become a need with the increase of cyber crime because individuals have started deleting the contents as soon as possible without saving the contents on the hard drive. Hence in order to retrieve more valuable information the forensic analyst needs to examine the volatile memory. 3
  • 4. Introduction What is Memory Forensics? 4 The science of examining the volatile or live memory is referred to as Memory Forensics.
  • 5. What can be found in Memory? What can be found in the Main Memory? a) Running Processes. b) Running Threads. c) Password/Keys other related information. d) Live registry hives (in case of windows only). e) Malware presence f) Malicious/ Suspicious activities g) Open Connections to the network In fact anything that processor works upon… 5
  • 6. Overview of the process Memory Forensics can be studied broadly under three categories: a) Acquisition of memory b) Analyzing the acquired data c) Recovering the evidence 6 Acquisition Analyze Evidences
  • 7. Tools & Techniques Tools used for the acquisition of the Memory a) For Windows Platform • Belkasoft Live RAM Capturer • FTK Imager • OSForensics • MadiantMemoryz • DumpIt etc. b) For Linux Platform • LiME (Linux Memory Extractor) • Second Look • Fmem etc. 7
  • 8. Tools & Techniques Tools used for Analyzing the acquired data a) For Windows Platform • Belkasoft Evidence Center • wxHexEditor • Autopsy • Volatility * b) For Linux Platform • Volatility * • The Sleuth Kit (TSK) etc. 8
  • 9. Various Formats Tools used for the acquisition of the Memory a) Raw Dump (.img/.dd) b) Windows Crash dump format (.bin) c) Memory dump (.mem) d) Commercial Tools Formats • Encase (.E01) • VMware (.Vmem) • FastDump Pro (hpak) 9
  • 11. 11