SlideShare a Scribd company logo

Memory forensics.pptx

Download as PPTX, PDF
9
9905234521

Memory forensics is a technique used in cyber investigations that allows analysts to capture the current state of a system's memory as an image file. This memory dump can then be analyzed offline to retrieve important artifacts like running processes, open network connections, and recently used files. It is useful because memory stores current system state information that may not be found through other forensic methods. Several challenges in memory forensics include ensuring the integrity of captured memory images and keeping analysis tools compatible with changing operating system structures.

Engineering
1 of 61
Downloaded 19 times
1
2
3
4
5
6
7
Most read
8
9
10
11
12
Most read
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Most read
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
MEMORY FORENSICS
Memory forensics.pptx
Memory forensics.pptx
What is Memory Forensics? • Memory forensics is a vital form of cyber investigation that allows an investigator to identify unauthorized and anomalous activity on a target computer or server. • This is usually achieved by running special software that captures the current state of the system’s memory as a snapshot file, also known as a memory dump. • This file can then be taken offsite and searched by the investigator.
• This is useful because of the way in which processes, files and programs are run in memory, and once a snapshot has been captured, many important facts can be ascertained by the investigator, such as: • Processes running • Executable files that are running • Open ports, IP addresses and other networking information • Users that are logged into the system, and From where Files that are open and by whom
Introduction • The enhancement of technology has led to a considerable amount of growth in number of cases pertaining to cyber-crime and has raised an enormous challenge to tackle it effectively. • There are various cyber forensic techniques and tools used to recover data from the devices to tackle cyber-crime. • Focuses on performing memory forensic and analyzes the memory which contains many pieces of information relevant to forensic investigation, such as • username, password, cryptographic keys, deleted files, deleted logs, running processes; • that can be helpful to investigate the cyber-crime pining down the accused.
• Depending on the situation, upon arriving on crime scene, an investigator is left with two options: • either interact with the system or • pull the plug. • On one side, it has been known for some time that normal user interaction is undesirable, even performing a clean shutdown would destroy potential evidence by changing timestamps and potentially overwriting information. • Following this train of thought, it was suggested that pulling the plug of a machine will leave it in a more preserved state than powering it down gracefully. • On the other side, while pulling the plug does preserve the current contents of the hard disk drive, RAM it allows little or no insight into what operations the system was performing at the time when the power was removed.
• In light of this lack of knowledge, others have provided incident response steps to perform in order to gain insight about the state of the system. • Neither of the options works if the contents of RAM is of concern as pulling the plug clears the contents of RAM, while performing many incident response action overwrites potential evidence in memory akin to create new files on a suspects hard disk. • When concerned with the contents of RAM, neither choice is adequate. • Simply, pulling the plug can clear the contents of RAM (in most cases), and performing many incident response actions overwrites potential evidence in memory akin to creating new files on a suspect hard disk drive. • Two additional concepts need to be introduced into acquisition and analysis stages in order to take advantage of RAM contents: the acquisition of RAM, and the extraction of information from the RAM duplicate
• Memory forensics involves analyzing the data stored in the physical memory at operating system runtime. • Its primary application is in the investigation of advanced computer attacks which are quiet enough to avoid leaving data on the computer hard drive. • Consequently, the memory (RAM) must be analyzed for forensic information. • Each and every function performed by an application or operating system results in a special kind of change to the random access memory. • These changes often stay for a long time after completion of the operation, significantly storing them, memory forensics provides extraordinary visibility into the runtime state of the system, such as • which processes were running, open network connections, and recently executed commands.
• Individuals can perform an extraction of these artifacts that is totally independent of the machine being investigated. • Critical data may exist exclusively in memory, such as • unencrypted e-mail messages, • disk encryption keys, • non-cacheable internet history records, • off the record chat messages and • memory-resident injected code fragments. • Memory forensics is forensic analysis of a computer's memory dump. • Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive. • Consequently, the memory (RAM) must be analyzed for forensic information.
Steps in memory forensics • The three main steps followed in memory forensic are • acquiring, • analyzing and • recovering. • Recovery of the evidences of crime from the volatile memory can be possible with the knowledge of different tools and techniques used in memory forensic. • It is always tough to analyze volatile memory as it stays for a very short period. • Not all tools can be used for memory forensic in every situation and therefore, it is important to have the knowledge of tools before applying to solve a particular cyber- crime.
Steps in memory forensics • It is yet to establish on using a single tool for complete investigation, however, most of the tools used are successful in providing reasonable evidences. • In this, insight will be provide to analyze the memory • that stores relevant data, • collection of evidences from the device(s), • extraction of essential data using different memory forensic tools, • tools useful for various purposes and • the best suited tool for a particular situation.
Digital evidence • Digital evidence is volatile and fragile and; the improper handling of this evidence can alter it. • Because of its volatility and fragility, protocols need to be followed to ensure that data is not modified during its handling (i.e., during its access, collection, packaging, transfer, and storage). • These protocols delineate the steps to be followed when handling digital evidence. • There are four phases involved in the initial handling of digital evidence: identification, collection, acquisition, and preservation
• There are protocols for the collecting volatile evidence. • Volatile evidence should be collected based on the order of volatility; that is, the most volatile evidence should be collected first, and the least volatile should be collected last. • The Request for Comments (RFC) 3227 document provides the sample of the order of volatile data (from most to least volatile) for standard systems (Brezinski and Killalea, 2002): • registers, cache • routing table, ...[address resolution protocol or ARP] cache, process table, kernel statistics, memory • temporary file systems • disk • remote logging and monitoring data that is relevant to the system in question • physical configuration, network topology • archival media
Acquisition and Analysis of Memory
Acquisition and Analysis of Memory • Volatile and Non-volatile memory are the two types of memory available in the system. • Volatile memory stores data temporarily and non-volatile data is stored permanently in the system. • Memory stores current working of processes, registers, stack of processes, deleted files, and encrypted data. • Volatile memory or Random Access Memory (RAM) only maintains its data while the computer or device is powered on. • Non-volatile Memory, or NVRAM, is for longerterm storage. • When a computer is powered off, evidence in RAM is lost and normally cannot be recovered, however, the data in NVRAM often remains after the system is powered off and can be analyzed after the fact.
Acquisition and Analysis of Memory • Acquisition is done with two different approaches. • 1) Live System/Device • 2) Dead System/Device. • When system is live it uses different technique to retrieve data from the system than dead system. • Farada bag is used to collect device and then forensic is proceeded.
Acquisition and Analysis of Memory • Acquisition is a technique in which collection of evidence is carried out from the seized device through which a crime is committed. • A write blocker is attached with the seized device to collect the data, so that there is no change in the evidence and hash value can be calculated after which RAM and Registry is Dump with the use of RAM Dump memory forensic tool which collects all the data from the RAM and generate the reg.mem file which collects all the data from RAM and then this file is analyzed in Encase tools and report is generated. • If the retrieved data matches with the original one then accused can be convicted on the basis of this.
• Memory forensic is about capturing the memory contents which is a great tool for incident response, malware analysis, and digital forensics capabilities. • Vital information can be retrieved through assessment of network packet captures and hard disk, however, • it is the matter of computer memory that enables the investigative agency to reconstruct the entire event of past, present and future happenings after inducing malware or an intrusion by advance risk factors. • Even a small part of information stored in RAM may help to associate typical forensic artifact that may appear different and allow for an integration which could otherwise remain unnoticed.
• There are three reasons for gathering and analyzing the data contained in the physical memory. • The physical memory contains real-time data related to the operating system environment, such as the currently mounted file system and the list of processes being operated. • Even the encrypted data is generally decrypted when it is stored in the physical memory. • Therefore, significant information can be obtained if analysis is performed effectively on the physical memory. • The different types of information that can be extracted from memory include processes, dynamic link libraries (dll), process memory, image identification, kernel memory and objects, networking, registry, malware.
Memory Analysis • Memory Analysis is a process & technique of using a ‘memory image’ to get information about the overall state of a computer, the programs running on it, the operating system and other digital artifacts and network connectivity etc. • Actually, Memory Analysis is the domain of Memory forensics, sometimes referred to as memory analysis that refers to the analysis of volatile data in a computer’s memory dump. • It is forensic analysis of a computer's memory dump. • The primary application of memory analysis is inspecting computer attacks.
Memory Analysis • These attacks are stealthy enough to avoid leaving data on the computer's hard drive. • For this, (RAM) or the memory (whether primary or other memory drives and devices) must be analyzed for forensic information. • By performing memory forensics analysis, information security professionals investigate and identify attacks or malicious behaviors that do not leave easily detectable tracks on hard drive data.
• Because the analysis is highly dependent on the operating system, it has been divided into the following and based on it there are different and versatile memory imaging and memory acquisition tools to perform and analyze memory to retrieve various types of static and running data. • Physical memory analysis from Windows systems can provide important information about the target operating system. • This field is still very new, but holds great promise.
How is Memory Forensics Different from Hard Drive Forensics? • Memory forensics can be thought of as a current snapshot of a system that gives investigators a near real time image of the system while in use. • Hard drive forensics is normally focused on data recovery and decryption, usually made from an image of the drive in question. • One can think of memory forensics as a live response to a current threat, while hard drive forensics can be seen as more of a post mortem of events that have already transpired. • Memory forensics is time sensitive, as the information that is required is stored in volatile system memory, and if the system is restarted or powered off, then that information is flushed from system memory.
How is Memory Forensics Different from Hard Drive Forensics? • Hard drives, on the other hand, are non-volatile form of computer storage. There are some volatile elements to hard drives, such as cache and buffer stores, so this also needs to be taken into account by the forensic investigator. • Depending on the nature of the investigation, either technique can be used to gain further information about the system in question. • Likewise, both methods can be used on the same system if necessary, and investigators will have to use their discretion and select the appropriate action where necessary.
Memory Forensics: Acquisition Methods • The angle of investigation that you take during this acquisition phase will depend mostly on the scenario that you are presented with and the requirements of the case. • This depends largely on the operating system that your host is running, or what the perceived issue is that needs to be investigated at the time of the incident. • How you go about capturing the image also depends on what you are trying to establish through your investigative process, and what it is that you are trying to prove or disprove.
Memory Forensics: Acquisition Methods • Generally your investigation will focus on the activities of the user on the system, or evidence that proves that the system in question has been compromised. • Sometimes even encryption keys and passwords can be uncovered if they are part of the evidentiary requirements of your case. • There must be a clear understanding of what needs to be established on the target system, and how it can help to advance your investigation. • Forensic investigators are highly skilled and can identify activity on a system that should not be present, allowing them to prove that a system has been compromised. • It allows them to identify rootkits and malware, to find unusual processes, and reveal covert communication, which can shed light on what is happening currently in a target system.
Memory Forensics: Acquisition Methods • Here are some examples of acquisition formats that are used in memory forensics. • RAW Format – Extracted from a live environment • Crash Dump – Information gathered by the operating system • Hibernation File – A saved snapshot that your operating system can return to after hibernating • Page File – This is a file that stores similar information that is stored in your system RAM • VMWare Snapshot – This is a snapshot of a virtual machine, which saves its state as it was at the exact moment that the snapshot was generated
Memory Forensics: Acquisition Methods • Once you have acquired your data, you can begin the process of examining the system, and any suspicious activities will then be uncovered as you proceed. • Data carving is a commonly used approach, and depending on the desired outcomes of your particular case, there are many other approaches that can be looked at as well.
Memory Imaging • Memory imaging is the process of making a bit-by-bit copy of memory. • In principle it is similar to Disk Imaging. • A ‘memory image’ is simply the view of the current state and components of the systems memory at a certain time. • It is something like an image (or a photocopy) to be able to examine it afterwards. • The resulting copy is stored in a ‘Forensics image format’. • Some of these formats have means to differentiate between an image of memory and (e.g.) that of a disk.
Memory Imaging • For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O. • The physical memory of computers can be imaged and analyzed using a variety of tools. • The procedure for accessing physical memory varies between operating systems, Hence, there are different tools for different operating systems. • Once memory has been imaged, it is subjected to memory analysis to ascertain the state of the system, extract artifacts, and so on.
Memory Forensics Process • Memory Forensics process starts with the acquisition of target machines. • Now these images can be any formats such as: *Raw Format *Hibernation File *Page File *Crash Dump etc. • There are various tools available like MoonSols, Belkasoft RAM capture which will assist in the acquisition of the image. • For page files remember that there can be a maximum of 16-page files in a system, so once the image is acquired, analyst must check for all available page files. • For a Hibernation file, before the analyst starts analyzing the image, it needs to be decompressed. • Also for the VM’s image taking a snapshot is the best way to start; however, keep in mind that there are other files as other than snapshot which might contain some relevant data.
• Once the Image is acquired, then the next step is to ensure that the image profiling is done. • Normally tools like Volatility look for KDBG block to find out the image OS and Service Pack. • Since this block leads to Active process list and loaded modules, you can also find information like a number of active processes, the number of loaded modules directly from such high level. • Once the profile is selected, then we start finding other artifacts from the acquired image like running process on the system when the image is acquired, what dlls are loaded, what network connections were active at the time of acquiring. • There are lot more artifacts that can be collected from the system at this point. • Once the profiling is done, then the analyst compare the outcome of different artifacts with the normal and find out discrepancies. • Since memory data is huge, this step requires experience and OS level understanding to filter out known goods. • Once the outliers are established, or if some other interesting section of memory is acquired, then that portion of memory is dumped for further analysis.
Challenges in Memory Forensics • Most important part is to make sure that the image is acquired properly and it maintains its integrity throughout the course of analysis and investigation. • Without a clean capture of the image it would leave very fewer artifacts in the image to analyze if not none. • With frequent OS releases from OS vendors, OS internal structures are changing rapidly, but the tools which are used by memory forensics are not compatible with such images. • For example, there are various image acquiring software’s which are not compatible with Windows 10. • Since Virtualization is adopted by all organizations these days, it is creating a gap between the image formats provided by VM vendors and what can be analyzed by the analysis software.
Challenges in Memory Forensics • As described above, memory forensics data land is huge and requires a thorough understanding of internal structures and expected (benign) OS/process’s behavior to filter out known goods from the anomalies. • Like mentioned above, for the interested memory regions which require further analysis, those sections need to be dumped. • To analyze end to end, memory forensics must be combined with Reverse Engineering. • Thus, memory forensics has a lot of power to establish hidden context in an investigation, and thus it should be included as an integral part of every investigation. • Memory forensics has its own challenges, but they can be overcome with experience and practice.
Practical Issue • One of the most annoying problems for memory imaging is verifying that the image has been created correctly. • That is, verifying that it reflects the actual contents of memory at the time of its creation. • Because the contents of memory are constantly changing on a running system, the process can be repeated but the results will never--to a high degree of probability--be the same. • Thus, repeating the acquisition and comparing the results is not a feasible means of validating correct image creation. • Memory analysis can reveal whether the image's contents are consistent with the known layout and structure of a given operating system, as well as answering other questions, but it cannot answer the question as to whether the image accurately reflects the system from which it was taken at the time it was taken.
History and Background • Zeroth Generation - Before 2004,generic data analysis tools like strings and grep were used and memory forensics was done on an ad hoc basis. - These tools are a bit difficult to use as they are not particularly created for memory forensics. - They also provide limited information. Generally, their primary usage is to extract the text from the memory dump. - There are several other operating systems that provide features to kernel developers and also to the end-users to create a snapshot of the physical memory for either purpose of debugging (core dump or Blue Screen of Death) or experience enhancement (Hibernation (computing)). - In the case of Microsoft Windows, crash dumps and hibernation had been present since Microsoft Windows NT. - Microsoft crash dumps had always been analyzable by Microsoft WinDbg, and Windows hibernation files (hiberfil.sys) are nowadays convertible in Microsoft crash dumps using utilities like “MoonSols” (now comes by Comae technologies) Windows Memory Toolkit designed by Matthieu Suiche.
• 1st Generation -In February 2004, Michael Ford introduced memory forensics into security investigations with an article in Sys Admin Magazine. In that article, he verified analysis of a memory based root kit. Here its process utilized the existing Linux crash utility along with two tools particularly developed for recovery and analysis of the memory forensically, memget and mem peek. DFRWS, in 2005 issued a Memory Analysis Forensics Challenge. In response to the present challenge, additional tools during this generation, specifically designed to analyze memory dumps, were created.  These tools had information of the in operation system's internal data structures, and were so capable of reconstructing the operating system's process list and process information. Although intended as research tools, these tools proved that operating system level memory forensics is possible and also practical.
2nd Generation - Development of several memory forensics tools were intended for the practical. - These tools include both the commercial tools like “Memoryze”, “MoonSols” Windows Memory Toolkit, open source tools like “Volatility”. - Some new features were added, such as analysis of Linux and Mac OS X memory dumps, and substantial academic research has been carried out. - As of now, memory forensics is a standard component of incident response
• 3rd Generation - Since 2010, Focus and emphasis were given more on utilities for visualization aspect of memory analysis such as Moon Sols Live Cloud K d given by Matthieu Suiche at Microsoft BlueHat Security Briefings. - It inspired a new feature in Microsoft LiveKd written by Mark Russinovich. - These tools allowed virtual machines self-analysis by accessing the memory of guest virtual machine from the host virtual machine so that to either analyze them directly with the assistance of Microsoft WinDbg or by acquiring a memory dump in a Microsoft crash dump file format.
MEMORY IMAGING PROCESSING • One of the memory imaging tools, “DumpIt” has been used here for acquiring a memory image for a windows platform. • The process has been performed on a windows 10 operating system. • This kind of utility is generally used to generate a physical memory dump of Windows machines. • It works with both x86 (32-bits) and x64 (64-bits) machines. • In the current directory a raw memory dump is generated, only a confirmation question is prompted before starting. • It’s best to deploy the executable files on USB keys, for quick incident responses needs. Earlier availed by “moonsols”, this utility is now provided by “Comae Technologies”.
MEMORY IMAGING PROCESSING • An open source one of the best availed free to use utility developed by ‘Mathew Suiche’ from Microsoft. • Also, the existing version of DumpIt supports starting from Windows XP until Windows 10 64-bits, and it does provide extra information during the acquisition for instance, displaying the Directory Table Base and the address of the debugging data structures, as all these are the compulsory parameters of memory analysis framework such as volatility or rekall. • Step1: Download the utility from Comae Technologies directly to your system. You may save and carry it easily into a USB drive and can execute the application directly using the USB. • Step2: Open the executable and run the application.
Identification • In the identification phase, preliminary information is obtained about the cybercrime case prior to collecting digital evidence. • This preliminary information is similar to that which is sought during a traditional criminal investigation. The investigator seeks to answer the following questions: • Who was involved? • What happened? • When did the cybercrime occur? • Where did the cybercrime occur? • How did the cybercrime occur?
Identification • The answers to these questions will provide investigators with guidance on how to proceed with the case. • For example, the answer to the question "where did this crime occur?" - that is, within or outside of a country's borders (see Cybercrime Module 3 on Legal Frameworks and Human Rights for information about jurisdictions) - will inform the investigator on how to proceed with the case (e.g., which agencies should be involved and/or contacted). •
Memory Forensic Tools on the Market • Volatility Suite: This is an open source suite of programs for analyzing RAM, and has support for Windows, Linux and Mac operating systems. It can analyze RAW, Crash, VMWare, and Virtualbox dumps with no issues. • Rekall: This is an end-to-end solution for incident responders and investigators, and features both acquisition and analysis tools. It can be thought of as more of a forensic framework suite than just a single application.
Memory Forensic Tools on the Market • Helix ISO: This is a bootable live CD as well as a standalone application that makes it very easy for you to capture a memory dump or memory image of a system. • There are some risks associated with running this directly on a target system, namely an acquisition footprint, so make sure that it fits your requirements. • Belkasoft RAM Capturer: This is another forensic tool that allows for the volatile section of system memory to be captured to a file. • First responders will find that the functionality and wide range of tools available in this software package will allow for their investigations to start off as quickly as possible.
Memory Forensic Tools on the Market • Process Hacker: This is an open source process monitoring application that is very useful to run while the target machine is in use. • It will give the investigator a better understanding of what is currently affecting the system before the memory snapshot is taken, and can go a long way to help uncover any malicious processes, or even help to identify what processes have been terminated within a set period of time. • Once you have captured the data that you need, you can start to examine it, while trying to find meaningful information on the target PC that you are interrogating.
Memory Forensics: Examining Your Captured Data • There are many avenues for an investigator to take when it comes to analyzing a target system, so many in fact that there are entire book series’ that are dedicated to the subject. We will instead take a look at some common approaches that can be used by an investigator when trying to glean more information via memory forensics. • Open Files Associated With Process: • This is an extremely useful approach, as it shows which files are open by a suspicious process on the target system. • Malware can often be identified just by the location of the associated files that are open, and knowing where these files are located is also beneficial to the overall investigation, especially if these files are storing logs of user inputs via the keyboard. • This would mean that the user’s passwords could have been inadvertently divulged to the malware authors that created the software. • This will help to strengthen the case that the investigator is building.
Memory Forensics: Examining Your Captured Data • Decoded Applications in Memory: • Sometimes, the author of the malware that is present on the target system will be encrypted, making it impossible for anyone but the perpetrator to successfully make use of the data that it has been collecting. • However, sometimes a decrypted version of the application can be caught in the memory snapshot, which allows the investigator to more accurately examine the application’s activities. • The investigator might even be able to identify the hash or cipher that was used for the encryption, thus allowing them to read previously inaccessible data associated with the malware instance on the target machine.
Memory Forensics: Examining Your Captured Data • Timestamp Comparison: • In some instances, malware can interfere with the target host’s timestamps on the system files, making them appear to be untouched by the infection. • This is known as time stomping, and can seriously inhibit an investigator’s ability to discover when the infection first occurred. • By capturing the memory dump, investigators can compare the process time stamps to the system file timestamps to establish when the system was first compromised. • Once a date and time has been established, records such as emails and browser history can be looked at to help identify the possible cause of the infection by finding any correlations in time and date between the process timestamps and the application time frames.
Memory Forensics: Examining Your Captured Data • Network Information: • Once the infected processes have been identified, then the specific network communications surrounding the infection can be further dissected. • This can reveal a virtual treasure trove of information, such as: • Source IP Addresses such as where the malware instance is reporting back to • Compromised ports on the host machine • The frequency at which the malware was communicating over the network • Understanding how the infection spreads itself over the network
Memory Forensics: Examining Your Captured Data • User Activity: • By looking at the information that was acquired during all of the previous steps, the forensic investigator can start to piece together a fairly accurate series of events that led to the main incident. • This can be determined via the system log files that were captured earlier, and can help to ascertain to what extent, if any, that a user on site may have been involved. • Remote unauthorized access can also be detected, which can help with determining the extent to which the network protocols of the organization have been compromised. • Once the findings have been made, the investigator can work with his or her team to establish if there are any other sources of information that need to be looked at further, and if any additional techniques need to be applied to the target machine or data set.
Tools and Techniques • Two phases of memory analysis: acquisition of the data and analysis of the collected data. • Collection of evidence focuses in obtaining digital evidence in an acceptable form. • There are mainly two approaches for acquire physical memory images: Hardware based tools and Software based tools.
• Volatility • Volatility is an open source memory forensics framework for incident response and malware analysis. • It is written in Python and supports Microsoft Windows, Mac OS Xand Linux. • Volatility is one of the best open source software programs for analyzing RAM in 32 bit/64 bit systems. • It can analyze raw dumps, crash dumps, VMware dumps (.vmem), virtual box dumps, and many others. • Volatility tool is used for analyzing RAM from which the data can be recovered. • Volatility tool is used for analyzing RAM from which the data can be recovered. • The hash value of the collected evidences from stored files, deleted files, encrypted emails, password protected files can calculated with the help of HashCalc and it is compared with the retrieved files.
Autopsy • Autopsy is a GUI-based open source digital forensic program to analyze hard drives and smart phones effectively. • Autopsy is used by thousands of users worldwide to investigate what actually happened in the computer. • It’s widely used by corporate examiners, military to investigate and some of the features are. • File type detection • Media playback • Registry analysis • Photos recovery from memory card • Extract geo-location and camera information from JPEG • Extract web activity from browser • Show system events in graphical interface • Timeline analysis • Extract data from Android – SMS, call logs, contacts, etc • It has extensive reporting to generate in HTML, XLS file • Format Alphabetical Memory forensics tools are used to acquire and/or analyze a computer's volatile memory (RAM).
MANDIANT • Memoryze MANDIANT Memoryze, formerly known as MANDIANT Free Agent, is a memory analysis tool. • Memoryze can not only acquire the physical memory from a Windows system but it can also perform advanced analysis of live memory while the computer is running. • All analysis can be done either against an acquired image or a live system. Belkasoft Evidence • Center Belkasoft Evidence Center makes it easy for an investigator to acquire, search, analyze, store and share digital evidence found inside computer and mobile devices. • The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups and chip-off dumps. • Evidence Center will automatically analyze the data source and lay out the most forensically important artifacts for investigator to review, examine more closely or add to report.
WxHexEditor • WxHexEditor is an open source cross-platform hex editor written in C++ and wxWidgets. • It uses 64 bit file descriptors (supports files or devices up to 264 bytes). • It does not copy the whole file to your RAM. This makes it faster and lets it open very large files. Some of the features are; you can copy/edit your Disks, HDD Sectors with it. (Useful for rescue files/partitions by hand.) HELIX3 • This tool can collect data from physical memory, network connections, user accounts, executing processes and services, scheduled jobs, Windows Registry, chat logs, screen captures, applications, drivers, environment variables and Internet history. • And then data is analyzed on the basis of that report is generated
Memory forensics.pptx
Conclusion • Memory forensics is a crucial skill for first responders and investigators alike, as it allows for the quick and complete capturing of live system data for later scrutiny. • And while this is a very important skill to learn, it is just one of the tools that you will be taught when enrolling in one of the many forensic training courses that are offered in the CCFE. • The skills learned in the CCFE are critical for anybody seeking to certify their knowledge, or to learn from scratch as a student in the field of computer forensics. • There are so many reasons to take this course, and thanks to our boot camp, getting started has never been easier.
Conclusion • Memory Forensic is widely used to analyze, acquire, report generation of memory. • Memory Forensic tools are useful to fetch memory from RAM, Physical Memory of seized device; when device is seized and it will connect with block writer so that there is no any change in evidence. • We have used RAM Dump and Autopsy to collect data. It will recover all the data which may be deleted files, deleted logs, and running processes from Physical memory, RAM, Registry with the use of RAM Dump, Registry Dump, Autopsy, Volatility tools which are used to backup files, and help to generate the forensic report. • Although there are so many different tools are used for memory forensic each and every tools have different purposes and different types of data collection methods. • Six tools are there depending on their features two tools Autopsy and Belkasoft Evidence Center fulfill most of the requirement.
• https://resources.infosecinstitute.com/topic/memory-forensics/ • https://resources.infosecinstitute.com/topic/memory-forensics-and- analysis-using-volatility/

More Related Content

PPTX
Memory Forensics
Anshul Tayal
 
PPTX
Memory forensics
Sunil Kumar
 
PPTX
Computer forensics
deaneal
 
PPTX
Autopsy Digital forensics tool
Sreekanth Narendran
 
PPTX
Computer forensics toolkit
Milap Oza
 
PPT
Introduction to computer forensic
Online
 
PPTX
Network Forensics
primeteacher32
 
PPTX
Data Acquisition
primeteacher32
 
Memory Forensics
Anshul Tayal
 
Memory forensics
Sunil Kumar
 
Computer forensics
deaneal
 
Autopsy Digital forensics tool
Sreekanth Narendran
 
Computer forensics toolkit
Milap Oza
 
Introduction to computer forensic
Online
 
Network Forensics
primeteacher32
 
Data Acquisition
primeteacher32
 

What's hot (20)

PPTX
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
PPTX
Incident response process
Bhupeshkumar Nanhe
 
PPTX
Data recovery
gupta8741
 
PPT
Windowsforensics
Santosh Khadsare
 
PPT
Computer forensics
SCREAM138
 
PDF
Memory Forensics
n|u - The Open Security Community
 
PPTX
Digital forensics
yash sawarkar
 
DOC
File System FAT And NTFS
Inocentshuja Ahmad
 
PDF
Digital forensic principles and procedure
newbie2019
 
PDF
Forensics of a Windows System
Conferencias FIST
 
PPTX
Module 02 ftk imager
ParminderKaurBScHons
 
PPTX
Encase Forensic
Megha Sahu
 
PPTX
Digital forensic tools
Parsons Corporation
 
PDF
05 Duplication and Preservation of Digital evidence - Notes
Kranthi
 
ODT
Operating System Forensics
ArunJS5
 
PPTX
Digital forensics
vishnuv43
 
PPTX
L6 Digital Forensic Investigation Tools.pptx
Bhupeshkumar Nanhe
 
PPTX
Digital Forensic ppt
Suchita Rawat
 
PDF
Incident response methodology
Piyush Jain
 
PPT
File Carving
Aakarsh Raj
 
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
Incident response process
Bhupeshkumar Nanhe
 
Data recovery
gupta8741
 
Windowsforensics
Santosh Khadsare
 
Computer forensics
SCREAM138
 
Memory Forensics
n|u - The Open Security Community
 
Digital forensics
yash sawarkar
 
File System FAT And NTFS
Inocentshuja Ahmad
 
Digital forensic principles and procedure
newbie2019
 
Forensics of a Windows System
Conferencias FIST
 
Module 02 ftk imager
ParminderKaurBScHons
 
Encase Forensic
Megha Sahu
 
Digital forensic tools
Parsons Corporation
 
05 Duplication and Preservation of Digital evidence - Notes
Kranthi
 
Operating System Forensics
ArunJS5
 
Digital forensics
vishnuv43
 
L6 Digital Forensic Investigation Tools.pptx
Bhupeshkumar Nanhe
 
Digital Forensic ppt
Suchita Rawat
 
Incident response methodology
Piyush Jain
 
File Carving
Aakarsh Raj
 
Ad

Similar to Memory forensics.pptx (20)

PDF
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
PDF
Digital Forensics
Vikas Jain
 
PPTX
Memory Forensic: Investigating Memory Artefact
Satria Ady Pradana
 
PPTX
Memory Forensic - Investigating Memory Artefact
Satria Ady Pradana
 
PDF
Práctica de informática forense taller práctico
LJPT2
 
PDF
Stop pulling the plug
Kamal Rathaur
 
PDF
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
ijsrd.com
 
PDF
Live Forensics Analysis Method for Random Access Memory on Laptop Devices
IJCSIS Research Publications
 
DOCX
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
PDF
Forensics
Ghariani Tewfik
 
PDF
Study on Live analysis of Windows Physical Memory
IOSR Journals
 
PDF
A Literature Review On Cyber Forensic And Its Analysis Tools
Samantha Vargas
 
PDF
Automated Live Forensics Analysis for Volatile Data Acquisition
IJERA Editor
 
PPT
Fs Ch 18
warren142
 
PPTX
Latest presentation
Adetunji Adeoje
 
DOCX
Cyber&digital forensics report
yash sawarkar
 
PPTX
Investigating Malware using Memory Forensics
Cysinfo Cyber Security Community
 
PDF
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
 
PDF
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
PDF
ResearchPaperITDF2435
Manuel Garza
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
Digital Forensics
Vikas Jain
 
Memory Forensic: Investigating Memory Artefact
Satria Ady Pradana
 
Memory Forensic - Investigating Memory Artefact
Satria Ady Pradana
 
Práctica de informática forense taller práctico
LJPT2
 
Stop pulling the plug
Kamal Rathaur
 
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
ijsrd.com
 
Live Forensics Analysis Method for Random Access Memory on Laptop Devices
IJCSIS Research Publications
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Forensics
Ghariani Tewfik
 
Study on Live analysis of Windows Physical Memory
IOSR Journals
 
A Literature Review On Cyber Forensic And Its Analysis Tools
Samantha Vargas
 
Automated Live Forensics Analysis for Volatile Data Acquisition
IJERA Editor
 
Fs Ch 18
warren142
 
Latest presentation
Adetunji Adeoje
 
Cyber&digital forensics report
yash sawarkar
 
Investigating Malware using Memory Forensics
Cysinfo Cyber Security Community
 
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
 
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
ResearchPaperITDF2435
Manuel Garza
 
Ad

More from 9905234521 (12)

PPTX
SOC2_Proposal_Walkover_MSG91.pptxSOC2_Type1_Kickoff_Plan
9905234521
 
PPTX
SOC2_Overview_WilsonMar_Based_Deck.pptx SOC2_Type1_Kickoff_Plan
9905234521
 
PPTX
SOC2_Type1_Phase2_IT_Landscaping_Plan SOC2_Type1_Kickoff_Plan
9905234521
 
PPTX
SOC2_Type1_Kickoff_Plan SOC2_Type1_Kickoff_Plan
9905234521
 
PPTX
SOC2_Criteria_and_Maintenance SOC 2 Type 2 Checklist
9905234521
 
PPTX
SOC2_Tools_and_Goals SOC 2 Type 2 Checklist
9905234521
 
PPTX
SOC2_Certification_Process.SOC2_Compliance_Overview
9905234521
 
PPTX
SOC2_Compliance_Overview GRC SOC2_Compliance_Overview
9905234521
 
PPTX
Lecture 1-Introduction to IT Industry Verticals.pptx
9905234521
 
PDF
misp-training.pdf
9905234521
 
PPTX
Activation Functions.pptx
9905234521
 
PPTX
Steganography.pptx
9905234521
 
SOC2_Proposal_Walkover_MSG91.pptxSOC2_Type1_Kickoff_Plan
9905234521
 
SOC2_Overview_WilsonMar_Based_Deck.pptx SOC2_Type1_Kickoff_Plan
9905234521
 
SOC2_Type1_Phase2_IT_Landscaping_Plan SOC2_Type1_Kickoff_Plan
9905234521
 
SOC2_Type1_Kickoff_Plan SOC2_Type1_Kickoff_Plan
9905234521
 
SOC2_Criteria_and_Maintenance SOC 2 Type 2 Checklist
9905234521
 
SOC2_Tools_and_Goals SOC 2 Type 2 Checklist
9905234521
 
SOC2_Certification_Process.SOC2_Compliance_Overview
9905234521
 
SOC2_Compliance_Overview GRC SOC2_Compliance_Overview
9905234521
 
Lecture 1-Introduction to IT Industry Verticals.pptx
9905234521
 
misp-training.pdf
9905234521
 
Activation Functions.pptx
9905234521
 
Steganography.pptx
9905234521
 

Recently uploaded (20)

PDF
Top 10 read articles In Managing Information Technology.pdf
IJMIT JOURNAL
 
PPTX
business incubation centre aaaaaaaaaaaaaa
hodeeesite4
 
PDF
Biodegradable Plastics: Innovations and Market Potential (www.kiu.ac.ug)
publication11
 
PPT
SCOPE_~1- technology of green house and poyhouse
bala464780
 
PPTX
easa module 3 funtamental electronics.pptx
tryanothert7
 
PDF
Introduction to Data Science: data science process
ShivarkarSandip
 
PDF
Chad Ayach - A Versatile Aerospace Professional
Chad Ayach
 
PDF
FLEX-LNG-Company-Presentation-Nov-2017.pdf
jbloggzs
 
PPTX
Information Retrieval and Extraction - Module 7
premSankar19
 
PDF
Software Testing Tools - names and explanation
shruti533256
 
PDF
dse_final_merit_2025_26 gtgfffffcjjjuuyy
rushabhjain127
 
PDF
67243-Cooling and Heating & Calculation.pdf
DHAKA POLYTECHNIC
 
PDF
Introduction to Ship Engine Room Systems.pdf
Mahmoud Moghtaderi
 
PDF
July 2025: Top 10 Read Articles Advanced Information Technology
ijait
 
PPTX
Civil Engineering Practices_BY Sh.JP Mishra 23.09.pptx
bineetmishra1990
 
PPTX
22PCOAM21 Session 2 Understanding Data Source.pptx
Guru Nanak Technical Institutions
 
PPTX
Tunnel Ventilation System in Kanpur Metro
220105053
 
PPTX
IoT_Smart_Agriculture_Presentations.pptx
poojakumari696707
 
PDF
Advanced LangChain & RAG: Building a Financial AI Assistant with Real-Time Data
Soufiane Sejjari
 
PPTX
database slide on modern techniques for optimizing database queries.pptx
aky52024
 
Top 10 read articles In Managing Information Technology.pdf
IJMIT JOURNAL
 
business incubation centre aaaaaaaaaaaaaa
hodeeesite4
 
Biodegradable Plastics: Innovations and Market Potential (www.kiu.ac.ug)
publication11
 
SCOPE_~1- technology of green house and poyhouse
bala464780
 
easa module 3 funtamental electronics.pptx
tryanothert7
 
Introduction to Data Science: data science process
ShivarkarSandip
 
Chad Ayach - A Versatile Aerospace Professional
Chad Ayach
 
FLEX-LNG-Company-Presentation-Nov-2017.pdf
jbloggzs
 
Information Retrieval and Extraction - Module 7
premSankar19
 
Software Testing Tools - names and explanation
shruti533256
 
dse_final_merit_2025_26 gtgfffffcjjjuuyy
rushabhjain127
 
67243-Cooling and Heating & Calculation.pdf
DHAKA POLYTECHNIC
 
Introduction to Ship Engine Room Systems.pdf
Mahmoud Moghtaderi
 
July 2025: Top 10 Read Articles Advanced Information Technology
ijait
 
Civil Engineering Practices_BY Sh.JP Mishra 23.09.pptx
bineetmishra1990
 
22PCOAM21 Session 2 Understanding Data Source.pptx
Guru Nanak Technical Institutions
 
Tunnel Ventilation System in Kanpur Metro
220105053
 
IoT_Smart_Agriculture_Presentations.pptx
poojakumari696707
 
Advanced LangChain & RAG: Building a Financial AI Assistant with Real-Time Data
Soufiane Sejjari
 
database slide on modern techniques for optimizing database queries.pptx
aky52024
 

Memory forensics.pptx

  • 4. What is Memory Forensics? • Memory forensics is a vital form of cyber investigation that allows an investigator to identify unauthorized and anomalous activity on a target computer or server. • This is usually achieved by running special software that captures the current state of the system’s memory as a snapshot file, also known as a memory dump. • This file can then be taken offsite and searched by the investigator.
  • 5. • This is useful because of the way in which processes, files and programs are run in memory, and once a snapshot has been captured, many important facts can be ascertained by the investigator, such as: • Processes running • Executable files that are running • Open ports, IP addresses and other networking information • Users that are logged into the system, and From where Files that are open and by whom
  • 6. Introduction • The enhancement of technology has led to a considerable amount of growth in number of cases pertaining to cyber-crime and has raised an enormous challenge to tackle it effectively. • There are various cyber forensic techniques and tools used to recover data from the devices to tackle cyber-crime. • Focuses on performing memory forensic and analyzes the memory which contains many pieces of information relevant to forensic investigation, such as • username, password, cryptographic keys, deleted files, deleted logs, running processes; • that can be helpful to investigate the cyber-crime pining down the accused.
  • 7. • Depending on the situation, upon arriving on crime scene, an investigator is left with two options: • either interact with the system or • pull the plug. • On one side, it has been known for some time that normal user interaction is undesirable, even performing a clean shutdown would destroy potential evidence by changing timestamps and potentially overwriting information. • Following this train of thought, it was suggested that pulling the plug of a machine will leave it in a more preserved state than powering it down gracefully. • On the other side, while pulling the plug does preserve the current contents of the hard disk drive, RAM it allows little or no insight into what operations the system was performing at the time when the power was removed.
  • 8. • In light of this lack of knowledge, others have provided incident response steps to perform in order to gain insight about the state of the system. • Neither of the options works if the contents of RAM is of concern as pulling the plug clears the contents of RAM, while performing many incident response action overwrites potential evidence in memory akin to create new files on a suspects hard disk. • When concerned with the contents of RAM, neither choice is adequate. • Simply, pulling the plug can clear the contents of RAM (in most cases), and performing many incident response actions overwrites potential evidence in memory akin to creating new files on a suspect hard disk drive. • Two additional concepts need to be introduced into acquisition and analysis stages in order to take advantage of RAM contents: the acquisition of RAM, and the extraction of information from the RAM duplicate
  • 9. • Memory forensics involves analyzing the data stored in the physical memory at operating system runtime. • Its primary application is in the investigation of advanced computer attacks which are quiet enough to avoid leaving data on the computer hard drive. • Consequently, the memory (RAM) must be analyzed for forensic information. • Each and every function performed by an application or operating system results in a special kind of change to the random access memory. • These changes often stay for a long time after completion of the operation, significantly storing them, memory forensics provides extraordinary visibility into the runtime state of the system, such as • which processes were running, open network connections, and recently executed commands.
  • 10. • Individuals can perform an extraction of these artifacts that is totally independent of the machine being investigated. • Critical data may exist exclusively in memory, such as • unencrypted e-mail messages, • disk encryption keys, • non-cacheable internet history records, • off the record chat messages and • memory-resident injected code fragments. • Memory forensics is forensic analysis of a computer's memory dump. • Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive. • Consequently, the memory (RAM) must be analyzed for forensic information.
  • 11. Steps in memory forensics • The three main steps followed in memory forensic are • acquiring, • analyzing and • recovering. • Recovery of the evidences of crime from the volatile memory can be possible with the knowledge of different tools and techniques used in memory forensic. • It is always tough to analyze volatile memory as it stays for a very short period. • Not all tools can be used for memory forensic in every situation and therefore, it is important to have the knowledge of tools before applying to solve a particular cyber- crime.
  • 12. Steps in memory forensics • It is yet to establish on using a single tool for complete investigation, however, most of the tools used are successful in providing reasonable evidences. • In this, insight will be provide to analyze the memory • that stores relevant data, • collection of evidences from the device(s), • extraction of essential data using different memory forensic tools, • tools useful for various purposes and • the best suited tool for a particular situation.
  • 13. Digital evidence • Digital evidence is volatile and fragile and; the improper handling of this evidence can alter it. • Because of its volatility and fragility, protocols need to be followed to ensure that data is not modified during its handling (i.e., during its access, collection, packaging, transfer, and storage). • These protocols delineate the steps to be followed when handling digital evidence. • There are four phases involved in the initial handling of digital evidence: identification, collection, acquisition, and preservation
  • 14. • There are protocols for the collecting volatile evidence. • Volatile evidence should be collected based on the order of volatility; that is, the most volatile evidence should be collected first, and the least volatile should be collected last. • The Request for Comments (RFC) 3227 document provides the sample of the order of volatile data (from most to least volatile) for standard systems (Brezinski and Killalea, 2002): • registers, cache • routing table, ...[address resolution protocol or ARP] cache, process table, kernel statistics, memory • temporary file systems • disk • remote logging and monitoring data that is relevant to the system in question • physical configuration, network topology • archival media
  • 16. Acquisition and Analysis of Memory • Volatile and Non-volatile memory are the two types of memory available in the system. • Volatile memory stores data temporarily and non-volatile data is stored permanently in the system. • Memory stores current working of processes, registers, stack of processes, deleted files, and encrypted data. • Volatile memory or Random Access Memory (RAM) only maintains its data while the computer or device is powered on. • Non-volatile Memory, or NVRAM, is for longerterm storage. • When a computer is powered off, evidence in RAM is lost and normally cannot be recovered, however, the data in NVRAM often remains after the system is powered off and can be analyzed after the fact.
  • 17. Acquisition and Analysis of Memory • Acquisition is done with two different approaches. • 1) Live System/Device • 2) Dead System/Device. • When system is live it uses different technique to retrieve data from the system than dead system. • Farada bag is used to collect device and then forensic is proceeded.
  • 18. Acquisition and Analysis of Memory • Acquisition is a technique in which collection of evidence is carried out from the seized device through which a crime is committed. • A write blocker is attached with the seized device to collect the data, so that there is no change in the evidence and hash value can be calculated after which RAM and Registry is Dump with the use of RAM Dump memory forensic tool which collects all the data from the RAM and generate the reg.mem file which collects all the data from RAM and then this file is analyzed in Encase tools and report is generated. • If the retrieved data matches with the original one then accused can be convicted on the basis of this.
  • 19. • Memory forensic is about capturing the memory contents which is a great tool for incident response, malware analysis, and digital forensics capabilities. • Vital information can be retrieved through assessment of network packet captures and hard disk, however, • it is the matter of computer memory that enables the investigative agency to reconstruct the entire event of past, present and future happenings after inducing malware or an intrusion by advance risk factors. • Even a small part of information stored in RAM may help to associate typical forensic artifact that may appear different and allow for an integration which could otherwise remain unnoticed.
  • 20. • There are three reasons for gathering and analyzing the data contained in the physical memory. • The physical memory contains real-time data related to the operating system environment, such as the currently mounted file system and the list of processes being operated. • Even the encrypted data is generally decrypted when it is stored in the physical memory. • Therefore, significant information can be obtained if analysis is performed effectively on the physical memory. • The different types of information that can be extracted from memory include processes, dynamic link libraries (dll), process memory, image identification, kernel memory and objects, networking, registry, malware.
  • 21. Memory Analysis • Memory Analysis is a process & technique of using a ‘memory image’ to get information about the overall state of a computer, the programs running on it, the operating system and other digital artifacts and network connectivity etc. • Actually, Memory Analysis is the domain of Memory forensics, sometimes referred to as memory analysis that refers to the analysis of volatile data in a computer’s memory dump. • It is forensic analysis of a computer's memory dump. • The primary application of memory analysis is inspecting computer attacks.
  • 22. Memory Analysis • These attacks are stealthy enough to avoid leaving data on the computer's hard drive. • For this, (RAM) or the memory (whether primary or other memory drives and devices) must be analyzed for forensic information. • By performing memory forensics analysis, information security professionals investigate and identify attacks or malicious behaviors that do not leave easily detectable tracks on hard drive data.
  • 23. • Because the analysis is highly dependent on the operating system, it has been divided into the following and based on it there are different and versatile memory imaging and memory acquisition tools to perform and analyze memory to retrieve various types of static and running data. • Physical memory analysis from Windows systems can provide important information about the target operating system. • This field is still very new, but holds great promise.
  • 24. How is Memory Forensics Different from Hard Drive Forensics? • Memory forensics can be thought of as a current snapshot of a system that gives investigators a near real time image of the system while in use. • Hard drive forensics is normally focused on data recovery and decryption, usually made from an image of the drive in question. • One can think of memory forensics as a live response to a current threat, while hard drive forensics can be seen as more of a post mortem of events that have already transpired. • Memory forensics is time sensitive, as the information that is required is stored in volatile system memory, and if the system is restarted or powered off, then that information is flushed from system memory.
  • 25. How is Memory Forensics Different from Hard Drive Forensics? • Hard drives, on the other hand, are non-volatile form of computer storage. There are some volatile elements to hard drives, such as cache and buffer stores, so this also needs to be taken into account by the forensic investigator. • Depending on the nature of the investigation, either technique can be used to gain further information about the system in question. • Likewise, both methods can be used on the same system if necessary, and investigators will have to use their discretion and select the appropriate action where necessary.
  • 26. Memory Forensics: Acquisition Methods • The angle of investigation that you take during this acquisition phase will depend mostly on the scenario that you are presented with and the requirements of the case. • This depends largely on the operating system that your host is running, or what the perceived issue is that needs to be investigated at the time of the incident. • How you go about capturing the image also depends on what you are trying to establish through your investigative process, and what it is that you are trying to prove or disprove.
  • 27. Memory Forensics: Acquisition Methods • Generally your investigation will focus on the activities of the user on the system, or evidence that proves that the system in question has been compromised. • Sometimes even encryption keys and passwords can be uncovered if they are part of the evidentiary requirements of your case. • There must be a clear understanding of what needs to be established on the target system, and how it can help to advance your investigation. • Forensic investigators are highly skilled and can identify activity on a system that should not be present, allowing them to prove that a system has been compromised. • It allows them to identify rootkits and malware, to find unusual processes, and reveal covert communication, which can shed light on what is happening currently in a target system.
  • 28. Memory Forensics: Acquisition Methods • Here are some examples of acquisition formats that are used in memory forensics. • RAW Format – Extracted from a live environment • Crash Dump – Information gathered by the operating system • Hibernation File – A saved snapshot that your operating system can return to after hibernating • Page File – This is a file that stores similar information that is stored in your system RAM • VMWare Snapshot – This is a snapshot of a virtual machine, which saves its state as it was at the exact moment that the snapshot was generated
  • 29. Memory Forensics: Acquisition Methods • Once you have acquired your data, you can begin the process of examining the system, and any suspicious activities will then be uncovered as you proceed. • Data carving is a commonly used approach, and depending on the desired outcomes of your particular case, there are many other approaches that can be looked at as well.
  • 30. Memory Imaging • Memory imaging is the process of making a bit-by-bit copy of memory. • In principle it is similar to Disk Imaging. • A ‘memory image’ is simply the view of the current state and components of the systems memory at a certain time. • It is something like an image (or a photocopy) to be able to examine it afterwards. • The resulting copy is stored in a ‘Forensics image format’. • Some of these formats have means to differentiate between an image of memory and (e.g.) that of a disk.
  • 31. Memory Imaging • For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O. • The physical memory of computers can be imaged and analyzed using a variety of tools. • The procedure for accessing physical memory varies between operating systems, Hence, there are different tools for different operating systems. • Once memory has been imaged, it is subjected to memory analysis to ascertain the state of the system, extract artifacts, and so on.
  • 32. Memory Forensics Process • Memory Forensics process starts with the acquisition of target machines. • Now these images can be any formats such as: *Raw Format *Hibernation File *Page File *Crash Dump etc. • There are various tools available like MoonSols, Belkasoft RAM capture which will assist in the acquisition of the image. • For page files remember that there can be a maximum of 16-page files in a system, so once the image is acquired, analyst must check for all available page files. • For a Hibernation file, before the analyst starts analyzing the image, it needs to be decompressed. • Also for the VM’s image taking a snapshot is the best way to start; however, keep in mind that there are other files as other than snapshot which might contain some relevant data.
  • 33. • Once the Image is acquired, then the next step is to ensure that the image profiling is done. • Normally tools like Volatility look for KDBG block to find out the image OS and Service Pack. • Since this block leads to Active process list and loaded modules, you can also find information like a number of active processes, the number of loaded modules directly from such high level. • Once the profile is selected, then we start finding other artifacts from the acquired image like running process on the system when the image is acquired, what dlls are loaded, what network connections were active at the time of acquiring. • There are lot more artifacts that can be collected from the system at this point. • Once the profiling is done, then the analyst compare the outcome of different artifacts with the normal and find out discrepancies. • Since memory data is huge, this step requires experience and OS level understanding to filter out known goods. • Once the outliers are established, or if some other interesting section of memory is acquired, then that portion of memory is dumped for further analysis.
  • 34. Challenges in Memory Forensics • Most important part is to make sure that the image is acquired properly and it maintains its integrity throughout the course of analysis and investigation. • Without a clean capture of the image it would leave very fewer artifacts in the image to analyze if not none. • With frequent OS releases from OS vendors, OS internal structures are changing rapidly, but the tools which are used by memory forensics are not compatible with such images. • For example, there are various image acquiring software’s which are not compatible with Windows 10. • Since Virtualization is adopted by all organizations these days, it is creating a gap between the image formats provided by VM vendors and what can be analyzed by the analysis software.
  • 35. Challenges in Memory Forensics • As described above, memory forensics data land is huge and requires a thorough understanding of internal structures and expected (benign) OS/process’s behavior to filter out known goods from the anomalies. • Like mentioned above, for the interested memory regions which require further analysis, those sections need to be dumped. • To analyze end to end, memory forensics must be combined with Reverse Engineering. • Thus, memory forensics has a lot of power to establish hidden context in an investigation, and thus it should be included as an integral part of every investigation. • Memory forensics has its own challenges, but they can be overcome with experience and practice.
  • 36. Practical Issue • One of the most annoying problems for memory imaging is verifying that the image has been created correctly. • That is, verifying that it reflects the actual contents of memory at the time of its creation. • Because the contents of memory are constantly changing on a running system, the process can be repeated but the results will never--to a high degree of probability--be the same. • Thus, repeating the acquisition and comparing the results is not a feasible means of validating correct image creation. • Memory analysis can reveal whether the image's contents are consistent with the known layout and structure of a given operating system, as well as answering other questions, but it cannot answer the question as to whether the image accurately reflects the system from which it was taken at the time it was taken.
  • 37. History and Background • Zeroth Generation - Before 2004,generic data analysis tools like strings and grep were used and memory forensics was done on an ad hoc basis. - These tools are a bit difficult to use as they are not particularly created for memory forensics. - They also provide limited information. Generally, their primary usage is to extract the text from the memory dump. - There are several other operating systems that provide features to kernel developers and also to the end-users to create a snapshot of the physical memory for either purpose of debugging (core dump or Blue Screen of Death) or experience enhancement (Hibernation (computing)). - In the case of Microsoft Windows, crash dumps and hibernation had been present since Microsoft Windows NT. - Microsoft crash dumps had always been analyzable by Microsoft WinDbg, and Windows hibernation files (hiberfil.sys) are nowadays convertible in Microsoft crash dumps using utilities like “MoonSols” (now comes by Comae technologies) Windows Memory Toolkit designed by Matthieu Suiche.
  • 38. • 1st Generation -In February 2004, Michael Ford introduced memory forensics into security investigations with an article in Sys Admin Magazine. In that article, he verified analysis of a memory based root kit. Here its process utilized the existing Linux crash utility along with two tools particularly developed for recovery and analysis of the memory forensically, memget and mem peek. DFRWS, in 2005 issued a Memory Analysis Forensics Challenge. In response to the present challenge, additional tools during this generation, specifically designed to analyze memory dumps, were created.  These tools had information of the in operation system's internal data structures, and were so capable of reconstructing the operating system's process list and process information. Although intended as research tools, these tools proved that operating system level memory forensics is possible and also practical.
  • 39. 2nd Generation - Development of several memory forensics tools were intended for the practical. - These tools include both the commercial tools like “Memoryze”, “MoonSols” Windows Memory Toolkit, open source tools like “Volatility”. - Some new features were added, such as analysis of Linux and Mac OS X memory dumps, and substantial academic research has been carried out. - As of now, memory forensics is a standard component of incident response
  • 40. • 3rd Generation - Since 2010, Focus and emphasis were given more on utilities for visualization aspect of memory analysis such as Moon Sols Live Cloud K d given by Matthieu Suiche at Microsoft BlueHat Security Briefings. - It inspired a new feature in Microsoft LiveKd written by Mark Russinovich. - These tools allowed virtual machines self-analysis by accessing the memory of guest virtual machine from the host virtual machine so that to either analyze them directly with the assistance of Microsoft WinDbg or by acquiring a memory dump in a Microsoft crash dump file format.
  • 41. MEMORY IMAGING PROCESSING • One of the memory imaging tools, “DumpIt” has been used here for acquiring a memory image for a windows platform. • The process has been performed on a windows 10 operating system. • This kind of utility is generally used to generate a physical memory dump of Windows machines. • It works with both x86 (32-bits) and x64 (64-bits) machines. • In the current directory a raw memory dump is generated, only a confirmation question is prompted before starting. • It’s best to deploy the executable files on USB keys, for quick incident responses needs. Earlier availed by “moonsols”, this utility is now provided by “Comae Technologies”.
  • 42. MEMORY IMAGING PROCESSING • An open source one of the best availed free to use utility developed by ‘Mathew Suiche’ from Microsoft. • Also, the existing version of DumpIt supports starting from Windows XP until Windows 10 64-bits, and it does provide extra information during the acquisition for instance, displaying the Directory Table Base and the address of the debugging data structures, as all these are the compulsory parameters of memory analysis framework such as volatility or rekall. • Step1: Download the utility from Comae Technologies directly to your system. You may save and carry it easily into a USB drive and can execute the application directly using the USB. • Step2: Open the executable and run the application.
  • 43. Identification • In the identification phase, preliminary information is obtained about the cybercrime case prior to collecting digital evidence. • This preliminary information is similar to that which is sought during a traditional criminal investigation. The investigator seeks to answer the following questions: • Who was involved? • What happened? • When did the cybercrime occur? • Where did the cybercrime occur? • How did the cybercrime occur?
  • 44. Identification • The answers to these questions will provide investigators with guidance on how to proceed with the case. • For example, the answer to the question "where did this crime occur?" - that is, within or outside of a country's borders (see Cybercrime Module 3 on Legal Frameworks and Human Rights for information about jurisdictions) - will inform the investigator on how to proceed with the case (e.g., which agencies should be involved and/or contacted). •
  • 45. Memory Forensic Tools on the Market • Volatility Suite: This is an open source suite of programs for analyzing RAM, and has support for Windows, Linux and Mac operating systems. It can analyze RAW, Crash, VMWare, and Virtualbox dumps with no issues. • Rekall: This is an end-to-end solution for incident responders and investigators, and features both acquisition and analysis tools. It can be thought of as more of a forensic framework suite than just a single application.
  • 46. Memory Forensic Tools on the Market • Helix ISO: This is a bootable live CD as well as a standalone application that makes it very easy for you to capture a memory dump or memory image of a system. • There are some risks associated with running this directly on a target system, namely an acquisition footprint, so make sure that it fits your requirements. • Belkasoft RAM Capturer: This is another forensic tool that allows for the volatile section of system memory to be captured to a file. • First responders will find that the functionality and wide range of tools available in this software package will allow for their investigations to start off as quickly as possible.
  • 47. Memory Forensic Tools on the Market • Process Hacker: This is an open source process monitoring application that is very useful to run while the target machine is in use. • It will give the investigator a better understanding of what is currently affecting the system before the memory snapshot is taken, and can go a long way to help uncover any malicious processes, or even help to identify what processes have been terminated within a set period of time. • Once you have captured the data that you need, you can start to examine it, while trying to find meaningful information on the target PC that you are interrogating.
  • 48. Memory Forensics: Examining Your Captured Data • There are many avenues for an investigator to take when it comes to analyzing a target system, so many in fact that there are entire book series’ that are dedicated to the subject. We will instead take a look at some common approaches that can be used by an investigator when trying to glean more information via memory forensics. • Open Files Associated With Process: • This is an extremely useful approach, as it shows which files are open by a suspicious process on the target system. • Malware can often be identified just by the location of the associated files that are open, and knowing where these files are located is also beneficial to the overall investigation, especially if these files are storing logs of user inputs via the keyboard. • This would mean that the user’s passwords could have been inadvertently divulged to the malware authors that created the software. • This will help to strengthen the case that the investigator is building.
  • 49. Memory Forensics: Examining Your Captured Data • Decoded Applications in Memory: • Sometimes, the author of the malware that is present on the target system will be encrypted, making it impossible for anyone but the perpetrator to successfully make use of the data that it has been collecting. • However, sometimes a decrypted version of the application can be caught in the memory snapshot, which allows the investigator to more accurately examine the application’s activities. • The investigator might even be able to identify the hash or cipher that was used for the encryption, thus allowing them to read previously inaccessible data associated with the malware instance on the target machine.
  • 50. Memory Forensics: Examining Your Captured Data • Timestamp Comparison: • In some instances, malware can interfere with the target host’s timestamps on the system files, making them appear to be untouched by the infection. • This is known as time stomping, and can seriously inhibit an investigator’s ability to discover when the infection first occurred. • By capturing the memory dump, investigators can compare the process time stamps to the system file timestamps to establish when the system was first compromised. • Once a date and time has been established, records such as emails and browser history can be looked at to help identify the possible cause of the infection by finding any correlations in time and date between the process timestamps and the application time frames.
  • 51. Memory Forensics: Examining Your Captured Data • Network Information: • Once the infected processes have been identified, then the specific network communications surrounding the infection can be further dissected. • This can reveal a virtual treasure trove of information, such as: • Source IP Addresses such as where the malware instance is reporting back to • Compromised ports on the host machine • The frequency at which the malware was communicating over the network • Understanding how the infection spreads itself over the network
  • 52. Memory Forensics: Examining Your Captured Data • User Activity: • By looking at the information that was acquired during all of the previous steps, the forensic investigator can start to piece together a fairly accurate series of events that led to the main incident. • This can be determined via the system log files that were captured earlier, and can help to ascertain to what extent, if any, that a user on site may have been involved. • Remote unauthorized access can also be detected, which can help with determining the extent to which the network protocols of the organization have been compromised. • Once the findings have been made, the investigator can work with his or her team to establish if there are any other sources of information that need to be looked at further, and if any additional techniques need to be applied to the target machine or data set.
  • 53. Tools and Techniques • Two phases of memory analysis: acquisition of the data and analysis of the collected data. • Collection of evidence focuses in obtaining digital evidence in an acceptable form. • There are mainly two approaches for acquire physical memory images: Hardware based tools and Software based tools.
  • 54. • Volatility • Volatility is an open source memory forensics framework for incident response and malware analysis. • It is written in Python and supports Microsoft Windows, Mac OS Xand Linux. • Volatility is one of the best open source software programs for analyzing RAM in 32 bit/64 bit systems. • It can analyze raw dumps, crash dumps, VMware dumps (.vmem), virtual box dumps, and many others. • Volatility tool is used for analyzing RAM from which the data can be recovered. • Volatility tool is used for analyzing RAM from which the data can be recovered. • The hash value of the collected evidences from stored files, deleted files, encrypted emails, password protected files can calculated with the help of HashCalc and it is compared with the retrieved files.
  • 55. Autopsy • Autopsy is a GUI-based open source digital forensic program to analyze hard drives and smart phones effectively. • Autopsy is used by thousands of users worldwide to investigate what actually happened in the computer. • It’s widely used by corporate examiners, military to investigate and some of the features are. • File type detection • Media playback • Registry analysis • Photos recovery from memory card • Extract geo-location and camera information from JPEG • Extract web activity from browser • Show system events in graphical interface • Timeline analysis • Extract data from Android – SMS, call logs, contacts, etc • It has extensive reporting to generate in HTML, XLS file • Format Alphabetical Memory forensics tools are used to acquire and/or analyze a computer's volatile memory (RAM).
  • 56. MANDIANT • Memoryze MANDIANT Memoryze, formerly known as MANDIANT Free Agent, is a memory analysis tool. • Memoryze can not only acquire the physical memory from a Windows system but it can also perform advanced analysis of live memory while the computer is running. • All analysis can be done either against an acquired image or a live system. Belkasoft Evidence • Center Belkasoft Evidence Center makes it easy for an investigator to acquire, search, analyze, store and share digital evidence found inside computer and mobile devices. • The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups and chip-off dumps. • Evidence Center will automatically analyze the data source and lay out the most forensically important artifacts for investigator to review, examine more closely or add to report.
  • 57. WxHexEditor • WxHexEditor is an open source cross-platform hex editor written in C++ and wxWidgets. • It uses 64 bit file descriptors (supports files or devices up to 264 bytes). • It does not copy the whole file to your RAM. This makes it faster and lets it open very large files. Some of the features are; you can copy/edit your Disks, HDD Sectors with it. (Useful for rescue files/partitions by hand.) HELIX3 • This tool can collect data from physical memory, network connections, user accounts, executing processes and services, scheduled jobs, Windows Registry, chat logs, screen captures, applications, drivers, environment variables and Internet history. • And then data is analyzed on the basis of that report is generated
  • 59. Conclusion • Memory forensics is a crucial skill for first responders and investigators alike, as it allows for the quick and complete capturing of live system data for later scrutiny. • And while this is a very important skill to learn, it is just one of the tools that you will be taught when enrolling in one of the many forensic training courses that are offered in the CCFE. • The skills learned in the CCFE are critical for anybody seeking to certify their knowledge, or to learn from scratch as a student in the field of computer forensics. • There are so many reasons to take this course, and thanks to our boot camp, getting started has never been easier.
  • 60. Conclusion • Memory Forensic is widely used to analyze, acquire, report generation of memory. • Memory Forensic tools are useful to fetch memory from RAM, Physical Memory of seized device; when device is seized and it will connect with block writer so that there is no any change in evidence. • We have used RAM Dump and Autopsy to collect data. It will recover all the data which may be deleted files, deleted logs, and running processes from Physical memory, RAM, Registry with the use of RAM Dump, Registry Dump, Autopsy, Volatility tools which are used to backup files, and help to generate the forensic report. • Although there are so many different tools are used for memory forensic each and every tools have different purposes and different types of data collection methods. • Six tools are there depending on their features two tools Autopsy and Belkasoft Evidence Center fulfill most of the requirement.