SlideShare ist ein Scribd-Unternehmen logo

Memory Forensics

n|u - The Open Security Community
n|u - The Open Security Community

null Mumbai Chapter Meet - December 2013

BildungTechnologie
1 von 18
Downloaden Sie, um offline zu lesen
आज का आहार Memory Forensics Varun Nair @w3bgiant
#whoami O Security enthusiast. O For food and shelter, I work with ZEE TV O For living, I learn 4N6, Malwares and Reverse Engineering O Recent developments: O Chapter lead at Null, Mumbai chapter.
If you listen!!!!! O Forensics Fundamentals O Action Plan O Order of Volatility O Methodologies O Dead Forensics O Live Forensics O Demo
ELSE!!!!
Forensics Fundamentals O Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. O "Gathering and analysing data in a manner as free from distortion or bias as possible to reconstruct data or what happened in the past on a system [or a network]“ -Dan Farmer / Wietse Venema
Action Plan- First Response Arrive on Crime scene Machine state = OFF DEAD FORENSICS Machine state = ON LIVE FORENSICS
Order of Volatility MOST ….. LEAST • CPU, cache and register content • Routing table, ARP cache, process table, kernel statistics • Memory • Temporary file system / swap space •Data on hard disk •Remotely logged data •Raw Disk Blocks
Forensics Methodologies O “LIVE” Forensics O “DEAD” Forensics
DEAD FORENSICS O The dead analysis is more common to acquire data. O A dead acquisition copies the data without the assistance of the suspect’s (operating) system. O Analysing a “dead” system that has had it’s power cord pulled.
DEAD FORENSICS O During data acquisition an exact (typically bitwise) copy of storage media is created. O Least chance of modifying data on disk, but “live” data is lost forever.
LIVE FORENSICS O Focuses on extracting and examination of the volatile forensic data that would be lost on power off O A live acquisition copies the data using the suspect’s (operating) system O Live forensics is not a “pure” forensic response as it will have minor impacts to the underlying machine’s operating state – The key is the impacts are known
LIVE FORENSICS O Often used in incident handling to determine if an event has occurred O May or may not proceed a full traditional forensic analysis O If you work on a suspect’s system you should boot/use trusted tools (e.g. CD, USB stick):
LIVE FORENSICS THE IMAGE WILL HAVE NO AUTHENTICITY No two images can have the “same hash value”
Forensic Response Principles – Maintain forensic integrity – Require minimal user interaction – Gather all pertinent information to determine if an incident occurred for later analysis - Enforce sound data and evidence collection
Methodology ACQUIRE CONTEXT ANALYSE •Capture RAM Memory •Find Memory Offsets and establish contexts •Analyse data and recover evidence
In MEMORY data?? O Current running processes and terminated processes. O Open TCP/UDP ports/raw sockets/active connections. O Caches O -Web addresses, typed commands, passwords, clipboards, SAM databases, edited files. O Memory mapped files O -Executable, shared, objects(modules/drivers), text files.
DEMO O Collecting Memory dumps: DUMPIT by MOONSOLS O Analysing Memory dumps: WinHex and Volatility Framework 2.3
और कोई सवाल

Empfohlen

Computer forensics
Computer forensicsComputer forensics
Computer forensicsRamesh Ogania
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Data recovery slide show
Data recovery slide showData recovery slide show
Data recovery slide showtutannandi
 
computer forensics
computer forensicscomputer forensics
computer forensicsVaibhav Tapse
 

Empfohlen

Computer forensics
Computer forensicsComputer forensics
Computer forensicsRamesh Ogania
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Data recovery slide show
Data recovery slide showData recovery slide show
Data recovery slide showtutannandi
 
computer forensics
computer forensicscomputer forensics
computer forensicsVaibhav Tapse
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory ForensicsPrince Boonlia
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory ForensicsAnshul Tayal
 
Data recovery
Data recoveryData recovery
Data recoveryMir Majid
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsShreya Singireddy
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
DATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESDATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESVenkatesh Pensalwar
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics pptOECLIB Odisha Electronics Control Library
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Muzzammil Wani
 
PACE-IT, Security+ 2.4: Basic Forensic Procedures
PACE-IT, Security+ 2.4: Basic Forensic ProceduresPACE-IT, Security+ 2.4: Basic Forensic Procedures
PACE-IT, Security+ 2.4: Basic Forensic ProceduresPace IT at Edmonds Community College
 

Weitere ähnliche Inhalte

Was ist angesagt?

Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 

Was ist angesagt? (20)

Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Data recovery
Data recoveryData recovery
Data recovery
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 
DATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESDATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUES
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics ppt
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
 

Ähnlich wie Memory Forensics

Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Muzzammil Wani
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
 
Automated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionAutomated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionIJERA Editor
 
CS426_forensics.ppt
CS426_forensics.pptCS426_forensics.ppt
CS426_forensics.pptFaiz430036
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Criminalistics DB3NameClassDatePro.docx
Criminalistics DB3NameClassDatePro.docxCriminalistics DB3NameClassDatePro.docx
Criminalistics DB3NameClassDatePro.docxfaithxdunce63732
 
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02Wayne Norris
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsAlchemist095
 
ResearchPaperITDF2435
ResearchPaperITDF2435ResearchPaperITDF2435
ResearchPaperITDF2435Manuel Garza
 
Digital Forensics Workshop
Digital Forensics WorkshopDigital Forensics Workshop
Digital Forensics WorkshopTim Fletcher
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics reportyash sawarkar
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Vipin George
 

Ähnlich wie Memory Forensics (20)

Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014
 
PACE-IT, Security+ 2.4: Basic Forensic Procedures
PACE-IT, Security+ 2.4: Basic Forensic ProceduresPACE-IT, Security+ 2.4: Basic Forensic Procedures
PACE-IT, Security+ 2.4: Basic Forensic Procedures
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Automated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionAutomated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data Acquisition
 
N.sai kiran IIITA AP
N.sai kiran IIITA APN.sai kiran IIITA AP
N.sai kiran IIITA AP
 
CS426_forensics.ppt
CS426_forensics.pptCS426_forensics.ppt
CS426_forensics.ppt
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Criminalistics DB3NameClassDatePro.docx
Criminalistics DB3NameClassDatePro.docxCriminalistics DB3NameClassDatePro.docx
Criminalistics DB3NameClassDatePro.docx
 
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
Sujit
SujitSujit
Sujit
 
ResearchPaperITDF2435
ResearchPaperITDF2435ResearchPaperITDF2435
ResearchPaperITDF2435
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Digital Forensics Workshop
Digital Forensics WorkshopDigital Forensics Workshop
Digital Forensics Workshop
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
 
3871778
38717783871778
3871778
 
File000129
File000129File000129
File000129
 

Mehr von n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024Elizabeth Walsh
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsKarakKing
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 

Kürzlich hochgeladen (20)

General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 

Memory Forensics

  • 1. आज का आहार Memory Forensics Varun Nair @w3bgiant
  • 2. #whoami O Security enthusiast. O For food and shelter, I work with ZEE TV O For living, I learn 4N6, Malwares and Reverse Engineering O Recent developments: O Chapter lead at Null, Mumbai chapter.
  • 3. If you listen!!!!! O Forensics Fundamentals O Action Plan O Order of Volatility O Methodologies O Dead Forensics O Live Forensics O Demo
  • 5. Forensics Fundamentals O Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. O "Gathering and analysing data in a manner as free from distortion or bias as possible to reconstruct data or what happened in the past on a system [or a network]“ -Dan Farmer / Wietse Venema
  • 6. Action Plan- First Response Arrive on Crime scene Machine state = OFF DEAD FORENSICS Machine state = ON LIVE FORENSICS
  • 7. Order of Volatility MOST ….. LEAST • CPU, cache and register content • Routing table, ARP cache, process table, kernel statistics • Memory • Temporary file system / swap space •Data on hard disk •Remotely logged data •Raw Disk Blocks
  • 8. Forensics Methodologies O “LIVE” Forensics O “DEAD” Forensics
  • 9. DEAD FORENSICS O The dead analysis is more common to acquire data. O A dead acquisition copies the data without the assistance of the suspect’s (operating) system. O Analysing a “dead” system that has had it’s power cord pulled.
  • 10. DEAD FORENSICS O During data acquisition an exact (typically bitwise) copy of storage media is created. O Least chance of modifying data on disk, but “live” data is lost forever.
  • 11. LIVE FORENSICS O Focuses on extracting and examination of the volatile forensic data that would be lost on power off O A live acquisition copies the data using the suspect’s (operating) system O Live forensics is not a “pure” forensic response as it will have minor impacts to the underlying machine’s operating state – The key is the impacts are known
  • 12. LIVE FORENSICS O Often used in incident handling to determine if an event has occurred O May or may not proceed a full traditional forensic analysis O If you work on a suspect’s system you should boot/use trusted tools (e.g. CD, USB stick):
  • 13. LIVE FORENSICS THE IMAGE WILL HAVE NO AUTHENTICITY No two images can have the “same hash value”
  • 14. Forensic Response Principles – Maintain forensic integrity – Require minimal user interaction – Gather all pertinent information to determine if an incident occurred for later analysis - Enforce sound data and evidence collection
  • 16. In MEMORY data?? O Current running processes and terminated processes. O Open TCP/UDP ports/raw sockets/active connections. O Caches O -Web addresses, typed commands, passwords, clipboards, SAM databases, edited files. O Memory mapped files O -Executable, shared, objects(modules/drivers), text files.
  • 17. DEMO O Collecting Memory dumps: DUMPIT by MOONSOLS O Analysing Memory dumps: WinHex and Volatility Framework 2.3