UNIT – 3

Memory Forensics

Introduction of Memory Forensics

Computer Forensics: Memory Forensics

What is Memory Forensics?

Memory forensics is a vital form of cyber investigation that allows an investigator to

identify unauthorized and anomalous activity on a target computer or server. This is

usually achieved by running special software that captures the current state of the

system’s memory as a snapshot file, also known as a memory dump. This file can then be
taken offsite and searched by the investigator.

This is useful because of the way in which processes, files and programs are run in

memory, and once a snapshot has been captured, many important facts can be
ascertained by the investigator, such as:

 Processes running

 Executable files that are running

 Open ports, IP addresses and other networking information

 Users that are logged into the system, and from where
 Files that are open and by whom

Already we can see how much this information can help an investigator as they seek out
system anomalies, and by being able to capture the volatile information inside the

system’s memory, they are able to create a permanent record of the system’s state as it
was.
This means that suspicious programs such as computer viruses and malware can be

tracked down in a lab environment and traced back to the source if possible. This is vital
in instances where malware leaves no trace of its activity on a target system’s hard drive,
making memory forensics especially important as a means to identify such activity.

How is Memory Forensics Different from Hard Drive Forensics?

Memory forensics can be thought of as a current snapshot of a system that gives
investigators a near real time image of the system while in use. Hard drive forensics is

normally focused on data recovery and decryption, usually made from an image of the
drive in question.

One can think of memory forensics as a live response to a current threat, while hard drive

forensics can be seen as more of a post mortem of events that have already transpired.
Memory forensics is time sensitive, as the information that is required is stored in volatile

system memory, and if the system is restarted or powered off, then that information is

flushed from system memory. Hard drives, on the other hand, are a non-volatile form of
computer storage. There are some volatile elements to hard drives, such as cache and
buffer stores, so this also needs to be taken into account by the forensic investigator.

Depending on the nature of the investigation, either technique can be used to gain further
information about the system in question. Likewise, both methods can be used on the

same system if necessary, and investigators will have to use their discretion and select the
appropriate action where necessary.
Memory Forensics: Acquisition Methods
The angle of investigation that you take during this acquisition phase will depend mostly
on the scenario that you are presented with and the requirements of the case. This

depends largely on the operating system that your host is running, or what the perceived
issue is that needs to be investigated at the time of the incident. How you go about

capturing the image also depends on what you are trying to establish through your
investigative process, and what it is that you are trying to prove or disprove.

Generally your investigation will focus on the activities of the user on the system, or
evidence that proves that the system in question has been compromised. Sometimes even

encryption keys and passwords can be uncovered if they are part of the evidentiary
requirements of your case. There must be a clear understanding of what needs to be
established on the target system, and how it can help to advance your investigation.

Forensic investigators are highly skilled and can identify activity on a system that should
not be present, allowing them to prove that a system has been compromised. It allows

them to identify rootkits and malware, to find unusual processes, and reveal covert
communication, which can shed light on what is happening currently in a target system.

Here are some examples of acquisition formats that are used in memory forensics. There
are many different memory acquisition types, but these are five of the most common
methods and formats that are used today:

 RAW Format – Extracted from a live environment

 Crash Dump – Information gathered by the operating system

 Hibernation File – A saved snapshot that your operating system can return to after
hibernating

 Page File – This is a file that stores similar information that is stored in your system
RAM
  VMWare Snapshot – This is a snapshot of a virtual machine, which saves its state
as it was at the exact moment that the snapshot was generated

Once you have acquired your data, you can begin the process of examining the system, and any
suspicious activities will then be uncovered as you proceed. Data carving is a commonly used
approach, and depending on the desired outcomes of your particular case, there are many other
approaches that can be looked at as well. Below is a list of some commonly used tools in the field
that allow for these different approaches to be utilized.

The Best Memory Forensic Tools on the Market

There are both free and commercial products available on the market, and many forensics
investigators will have their own personal preferences. Some investigators may find that

they need to use commercial products only, however many professionals will use a wide
array of both free and paid tools to get the job done. Here are some examples:

 Volatility Suite: This is an open source suite of programs for analyzing RAM, and has
support for Windows, Linux and Mac operating systems. It can analyze RAW, Crash,
VMWare, and Virtualbox dumps with no issues.
 Rekall: This is an end-to-end solution for incident responders and investigators, and
features both acquisition and analysis tools. It can be thought of as more of a forensic
framework suite than just a single application.
 Helix ISO: This is a bootable live CD as well as a standalone application that makes it very
easy for you to capture a memory dump or memory image of a system. There are some
risks associated with running this directly on a target system, namely an acquisition
footprint, so make sure that it fits your requirements.
 Belkasoft RAM Capturer: This is another forensic tool that allows for the volatile section
of system memory to be captured to a file. First responders will find that the functionality
and wide range of tools available in this software package will allow for their investigations
to start off as quickly as possible.
  Process Hacker: This is an open source process monitoring application that is very useful
to run while the target machine is in use. It will give the investigator a better understanding
of what is currently affecting the system before the memory snapshot is taken, and can go
a long way to help uncover any malicious processes, or even help to identify what
processes have been terminated within a set period of time.

Once you have captured the data that you need, you can start to examine it, while trying
to find meaningful information on the target PC that you are interrogating.

Memory Forensics: Examining Your Captured Data

There are many avenues for an investigator to take when it comes to analyzing a target
system. We will instead take a look at some common approaches that can be used by an
investigator when trying to glean more information via memory forensics.

 Open Files Associated With Process: This is an extremely useful approach, as it shows
which files are open by a suspicious process on the target system. Malware can often be
identified just by the location of the associated files that are open, and knowing where
these files are located is also beneficial to the overall investigation, especially if these files
are storing logs of user inputs via the keyboard. This would mean that the user’s passwords
could have been inadvertently divulged to the malware authors that created the software.
This will help to strengthen the case that the investigator is building.
 Decoded Applications in Memory: Sometimes, the author of the malware that is present
on the target system will be encrypted, making it impossible for anyone but the
perpetrator to successfully make use of the data that it has been collecting. However,
sometimes a decrypted version of the application can be caught in the memory snapshot,
which allows the investigator to more accurately examine the application’s activities. The
investigator might even be able to identify the hash or cipher that was used for the
encryption, thus allowing them to read previously inaccessible data associated with the
malware instance on the target machine.
  Timestamp Comparison: In some instances, malware can interfere with the target host’s
timestamps on the system files, making them appear to be untouched by the infection.
This is known as time stomping, and can seriously inhibit an investigator’s ability to
discover when the infection first occurred. By capturing the memory dump, investigators
can compare the process time stamps to the system file timestamps to establish when the
system was first compromised. Once a date and time has been established, records such
as emails and browser history can be looked at to help identify the possible cause of the
infection by finding any correlations in time and date between the process timestamps
and the application time frames.
 Network Information: Once the infected processes have been identified, then the specific
network communications surrounding the infection can be further dissected. This can
reveal a virtual treasure trove of information, such as:
o Source IP Addresses such as where the malware instance is reporting back to
o Compromised ports on the host machine
o The frequency at which the malware was communicating over the network
o Understanding how the infection spreads itself over the network
 User Activity: By looking at the information that was acquired during all of the previous
steps, the forensic investigator can start to piece together a fairly accurate series of events
that led to the main incident. This can be determined via the system log files that were
captured earlier, and can help to ascertain to what extent, if any, that a user on site may
have been involved. Remote unauthorized access can also be detected, which can help
with determining the extent to which the network protocols of the organization have been
compromised.

Once the findings have been made, the investigator can work with his or her team to

establish if there are any other sources of information that need to be looked at further,
and if any additional techniques need to be applied to the target machine or data set.
Further readings:

/memory-forensics-power-introduction/

/memory-forensics/

/memory-forensics-and-analysis-using-volatility/
Disclaimer

The slides/contents are based on the textbook and other sources, including several other
fine textbooks, web resources and case studies for the concepts course of Cyber Forensic
Procedures and Analysis.