IBM ICE (Innovation Centre for Education)

Welcome to:
Memory Forensics

© Copyright IBM Corporation 2016 9.1

Unit objectives IBM ICE (Innovation Centre for Education)
IBM Power Systems

After completing this unit, you should be able to:

• Understand the meaning of Memory Forensics
• Understand the steps in extracting data from Memory Forensics
• Understand the specific precautions to be used in extraction and preservation of data from
Memory Forensics
• Understand the chain of Custody, Preservation and Presentation of evidence from Memory
Forensics

© Copyright IBM Corporation 2016

Memory Data Collection and Examination IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Data is considered volatile when it is likely to be lost when a machine is rebooted or

overwritten during the course of the machine’s normal use.
• The artifacts that can be recovered from volatile data are valuable in pushing the
investigation forward on all fronts, and many types of artifacts can only be recovered from
memory.
• It is readily apparent that acquiring and analyzing this type of data is more challenging and
perilous than dead-box analysis.
• When the user types in their password, or when data is decrypted, however, the password
and keys are necessarily loaded into and stored in memory; analysis of that memory can
allow the analyst to recover them.
• It is also possible for a suspect to hide data in memory, or for a remote attacker who has
compromised a system to store tools, data, and other artifacts there rather than on the
system's drive.
• And viruses, Trojans, and worms reside only in memory and do not write themselves to the
physical disk drive. Traditional forensic analysis of the disks will not reveal the code or allow
analysts to understand how the attack is being executed or how to mitigate it.

© Copyright IBM Corporation 2016

Data Found in Volatile Memory IBM ICE (Innovation Centre for Education)
IBM Power Systems

• Process, information about open files and registry handles, network information, passwords
and cryptographic keys, unencrypted content that is encrypted on disk, hidden data, and
worm and rootkits written to run solely in memory.
• Processes that have been terminated may still be residing in memory because the machine
has not been rebooted since they were terminated and the space they reside in has not yet
been reallocated.
• The files that a process has open, as well as any registry handles being accessed by a
process, are also stored in memory.
• Information about network connections, including listening ports, currently established
connections, and the local and remote information associated with such connections can be
recovered from memory.
• Passwords and cryptographic keys are as a general rule never stored on hard disks without
some type of protection.
• In addition to hiding files in memory, attackers can also run malicious code from memory
instead of storing it on the disk, making it difficult for reverse engineers to obtain copies of
programs and figure out how they are working and how to mitigate the threats they pose.

© Copyright IBM Corporation 2016

Current Analysis Techniques IBM ICE (Innovation Centre for Education)
IBM Power Systems

• In order to acquire volatile memory and analyze it, first an analyst must have a technique for
acquiring memory.
• There are two methods of acquiring volatile memory: hardware-based acquisition, and
software-based acquisition.
• Hardware-based acquisition of memory involves suspending the computer’s processor and
using direct memory access (DMA) to obtain a copy of memory.
• Software-based acquisition is most often done using a trusted toolkit that the analyst brings
to the site, but it is also possible to collect volatile memory using tools built in to the operating
system.
• Volatile memory is accessed via different mechanisms depending on the operating system
being used, and the hardware in the machine itself.
• Processes are stored in Windows in a Virtual Address Descriptor (VAD) tree.
• This tree describes memory ranges used by currently-running processes, and allows a
process’s virtual address space to be reconstructed.

© Copyright IBM Corporation 2016

Current Tools IBM ICE (Innovation Centre for Education)
IBM Power Systems

• The tools used by forensic analysts for memory analysis are:

– Memdump
– KnTTools
– FATKit
– WMFT
– Procenum
– Idetect
– Volatility Framework
– VAD Tools
– Encase Enterprise
– F-Response
– HBGary Responder

© Copyright IBM Corporation 2016

Cautions and Considerations IBM ICE (Innovation Centre for Education)
IBM Power Systems

• One concern with performing memory analysis is that the act of acquiring memory can cause
changes to the system being analyzed.
• A related problem is that when this happens and information related to capturing the memory
is put into RAM, the analyst is mixing the results of the analysis with the data that was
previously stored on the system.
• Another concern is whether you can trust the operating system to tell the truth about what is
actually in memory.
• Even more worrisome is that an advanced attacker might alter the way the operating system
itself works to hide data from the analyst.
• Forensic analysis on volatile memory is by no means perfect.

© Copyright IBM Corporation 2016

Checkpoint IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. EFS can encrypt which of the following?

a. Files, folders, and volumes
b. Certificates and private keys
c. The global Registry
d. Network servers
2. To encrypt a FAT volume, which of the following utilities can you use?
a. Microsoft BitLocker
b. EFS
c. PGP Whole Disk Encryption
d. FreeOTFE
3. Which of the following tools from Sysinternals monitors Registry data in real time?
a. PsList
b. Handle
c. RegMon
d. PsUpTime

© Copyright IBM Corporation 2016

Checkpoint solutions IBM ICE (Innovation Centre for Education)
IBM Power Systems

1. A
2. B
3. C

© Copyright IBM Corporation 2016

Unit summary IBM ICE (Innovation Centre for Education)
IBM Power Systems

Having completed this unit unit, you should be able to:

• Understand the meaning of Memory Forensics
• Understand the steps in extracting data from Memory Forensics
• Understand the specific precautions to be used in extraction and preservation of data from
Memory Forensics
• Understand the chain of Custody, Preservation and Presentation of evidence from Memory
Forensics

© Copyright IBM Corporation 2016