1) The document discusses acquiring and analyzing RAM dumps from suspect systems to gather forensic evidence for use in court.
2) It describes RAM acquisition methods like live acquisition, hibernation, and using a RAM acquisition OS. It also discusses verifying RAM dumps through hashing.
3) General analysis methods discussed include using hex editors and string/grep searches to look for artifacts in RAW RAM dumps. Advanced methods parse OS structures to recover more system state information.
2. PLAN
INTRODUCTION
01
• Ram; Content of Ram.
RAM DUMP ACQUISITION
02
• Acquisition and Verification.
ANALYSIS
03
• General methods ; Advanced method. 2
3. All the tools and techniques used in this demo
should not be performed on systems without
clearance or authorization. It will be important to
even get a lawyer before engaging is such activity.
DISCLAIMER
3
4. The goal of the session is to be able to
comfortably acquire the Ram from a
suspect’s system and conduct forensics
analysis to gather evidence that will later
be used in court.
ACQUIRE RAM DUMP
ANALYSIS
INTRODUCTION
01
4
5. RAM
- Fast, temporary, storage
- It has No file system (The memory
management unit Found in OS keep
track of where data is found in RAM)
- It is the Working area of the computer.
- Computer, phones, IoT devices, etc. all
have RAM.
5
RAM PRIMER
6. ARTIFACTS ON RAM
Executed programs
and files Decrypted content
Passwords, usernames,
emails, chats, opened
webpages, Network
traffic, etc
Location of
opened files on
disk
6
7. 1. You can only acquire or access RAM when a
computer is on.
2. All user Activities on the device touch RAM
in some way.
3. Most first Responders do not collect RAM
yet.
NOTE
7
8. LIVE DATA FORENSICS
8
▪ It’s worth noticing that data is still
changing.
▪ Understanding data that will be modified
in the process is important.
▪ Ensure that no data relied upon in court is
modified
9. ACQUISITION
RAM DUMP ACQUISITION
02
VERIFICATION
- Live acquisition to storage when the
target system is on
- Hibernating the target system (write
to disk)
- Reboot into RAM acquisition OS
- VM → can dump RAM directly to a
file - RAM is normally collected while a
system is live
- Create a reference hash of the
dump after acquisition.
9
1
2
10. ANALYSIS
03
General Analysis.
• Rely of specific structures in Ram to
process and extract information
• Tend to look for more general data
structures existing in RAW dataset
• Easier and faster for some task.
• Used for low-level data analysis
10
11. ▪ HEXING A DUMP
▪ WORKING WITH POWERSHELL(STRINGS AND SELECT-STRING)
▪ FILE CARVING WITH PHOTO REC
▪ ALMIGHTY BULK-EXTRACTOR.
11
GENERAL ANALYSIS METHODS
12. ANALYSIS
03
Advanced Analysis.
• Advanced analysis relies on data structures in
memory that are specific to how the
operating system memory manager
functions.
• Advanced analysis methods parse
complicated operating system data structures
to recover much more information about the
system's state.
12
13. ADVANCED ANALYSIS METHODS
✓ Process analysis and dumping of files from RAM
✓ Command execution and network connection
analysis.
✓ Dumping windows hashes
✓ Windows registry: USERASSIT and hive extraction.
VOLATILITY3
MemProcFS demo 13
14. Acquisition
All actions on a live system will modify memory and probably disk
Test acquisition tools and document what changes they normally make.
How much memory does the tool use?
Hex Editor
Good for low-level analysis and fast string and hex searches.
Common file headers ՞ JPG:0xFFD8FFE, DOCX:0x0 ֣
504B030414, PDF:0x0 ֣
25504446
Bookmark: https://www.garykessler.net/library/file_sigs.htmls
CLI Search
Windows: strings (from Sysinternals), Select-String ՄPowershell)
Linux: strings, grep
| (pipe) sends one command output to another command input
> (redirect) sends a command output to a file
Windows: strings [memimage] | Select-String ‘[keyword]’
Linux: strings [memimage] | grep ‘[keyword]’
Create password list from RAMր strings [memimage] > passlist.txt
Photorec
Recovers more than just images! Video, executables, databases, etc.
Carving for text “.txt” files will result in a lot of trash.
RAM does not have a partition or file system!
photorec [memimage]
Cheat-sheet
14
15. bulk_extractor
Good for large, batch processing of data sources.
Can often detect files and data that others cannot (stream processing).
Good at partial and corrupt file detection/parsing.
bulk_extractor -o [outdir] [memimage]
Volatility 3
Get image info: vol.py -f [memimage] windows.info
List processes: vol.py -f [memimage] windows.pslist
List file handles: vol.py -f [memimage] windows.handles --pid [pid] | Select-String ‘File’
Dump file: vol.py -f [memimage] -o [dumpfolder] windows.dumpfile --pid [pid] --virtaddr [vaddr]
Parse command line: vol.py -f [memimage] windows.cmdline.CmdLine
List network connections: vol.py -f [memimage] windows.netstat
Dump user password hashes: vol.py -f [memimage] windows.hashdump.Hashdump
Dump userassist to terminal: vol.py -f [memimage] windows.registry.userassist.UserAssist
List all Registry hives: vol.py -f [memimage] windows.registry.hivelist.HiveList
Dump by filter: vol.py -f [memimage] -o "[dumpfolder]" windows.registry.hivelist --filter
[keyword] --dump
Dump key & values: vol.py -f [memimage] windows.registry.printkey --key "[key]" --recurse
Cheat-sheet
15