UNIT – V

Introduction to Memory Forensics:

Memory forensics is a specialized branch of digital forensics focused on the
analysis of a computer’s volatile memory (RAM) to uncover evidence of cyberattacks, malicious
activities, or system anomalies. Unlike storage-based forensics, which deals with data on hard drives
or SSDs, memory forensics provides insights into the live state of a system, capturing dynamic and
ephemeral data crucial for understanding sophisticated cyber threats.
Why Memory Forensics?
Modern cyber threats, such as advanced persistent threats (APTs) and fileless malware, often operate
entirely in memory to evade traditional detection methods like file-based antivirus scans. Memory
forensics plays a vital role in identifying these threats, offering capabilities such as:
1. Detecting Fileless Malware: Many attacks leverage memory to execute malicious payloads
without leaving artifacts on the disk.
2. Investigating Live Attacks: Provides a snapshot of running processes, open network
connections, and user activities during an incident.
3. Recovering Key Evidence: Sensitive data like encryption keys, passwords, or logs may only
exist in memory.
Core Components of Memory Forensics
1. Memory Acquisition: The process of capturing the contents of a system's RAM. This must be
done carefully to avoid altering data.
o Tools: FTK Imager, DumpIt, or Belkasoft RAM Capturer.

2. Memory Analysis: The examination of a memory dump to uncover malicious activities or

anomalies.
o Frameworks: Volatility, Rekall, and Redline.

o Key techniques include analyzing running processes, network connections, and memory-
resident malware.
3. Memory Artifacts: Includes running processes, loaded modules, active network sockets,
injected code, and more.

Memory Forensics:
Memory forensics is a critical aspect of cybersecurity focused on analyzing
a computer's volatile memory (RAM) to uncover evidence of malicious activity, investigate incidents,
and enhance threat detection. Unlike traditional disk forensics, which deals with static data on storage
devices, memory forensics focuses on live system data, which is transient and dynamic.
Key Concepts in Memory Forensics
1. Volatile Memory: RAM is volatile, meaning its contents are lost when a system is powered
down. It contains real-time information such as running processes, network connections, loaded
drivers, and encryption keys.

Intrusion Detection Systems 1

IDS
 2. Artifacts in Memory:
o Active processes and their metadata (e.g., process IDs, memory usage).

o Open network sockets and active connections.

o System handles and loaded modules.

o Suspicious code injections or hooks.

o Malware in memory that doesn't leave traces on disk (fileless malware).

o Cryptographic material (keys, passwords, etc.).

3. When to Use Memory Forensics:

o To analyze malware, particularly fileless or in-memory-only threats.

o During incident response to understand ongoing attacks or lateral movement.

o For forensic investigation post-breach to identify attackers' activities.

o To detect advanced persistent threats (APTs) that operate stealthily.

Tools and Techniques

1. Memory Acquisition:
o Tools like FTK Imager, Belkasoft Live RAM Capturer, and DumpIt are used to create
memory dumps of live systems.
o Forensic soundness is critical to ensure data integrity during acquisition.

2. Memory Analysis Frameworks:

o Volatility Framework: Open-source tool for analyzing memory dumps, supporting
plugins for detecting malware, processes, and more.
o Rekall: Another powerful memory forensics framework with similar capabilities to
Volatility.
o Redline: Combines host forensics and memory analysis, providing user-friendly
interfaces.
3. Key Analysis Techniques:
o Process Analysis: Identifying anomalous or rogue processes.

o Network Analysis: Tracing suspicious network activity.

o Malware Detection: Finding code injections, packed processes, or tampered binaries.

o Cryptographic Key Recovery: Extracting sensitive information from memory.

o Heap and Stack Analysis: Reviewing program-specific memory segments for

exploitation clues.
Applications in Cybersecurity
1. Incident Response:
Intrusion Detection Systems 2
IDS
 o Quick identification of active threats during a breach.

o Detailed timeline reconstruction of malicious activities.

2. Malware Analysis:
o Understanding malicious payloads and behavior without requiring disk artifacts.

3. Threat Hunting:
o Detecting anomalies and fileless malware through behavioral analysis.

4. Digital Forensics:
o Enhancing evidence collection for legal or investigative purposes.

Challenges in Memory Forensics

1. Volatility of Data: Memory data is lost upon shutdown, making real-time acquisition crucial.
2. Anti-Forensics Techniques: Malware and attackers often use techniques like encryption,
obfuscation, or anti-debugging to evade detection.
3. Complexity of Analysis: Requires specialized tools and expertise to interpret low-level data
structures.
4. Compatibility Issues: Different operating systems and architectures require tailored tools and
methods.
Best Practices
 Always acquire memory before shutting down the system to preserve critical data.
 Use trusted and tested tools for memory acquisition and analysis.
 Regularly train teams on memory forensics techniques and emerging threats.
 Integrate memory forensics into your incident response plan to quickly address live threats.
Memory forensics remains an indispensable skill in modern cybersecurity, especially as attackers
evolve toward stealthier, in-memory techniques.

What is HONEYPOT?
A Honeypot is a network-attached system used as a trap for cyber-attackers to detect and study the
tricks and types of attacks used by hackers. It acts as a potential target on the internet and informs
the defenders about any unauthorized attempt at the information system. Honeypots are mostly used
by large companies and organizations involved in cybersecurity.

ADVANTAGES of Honeypot:
Acts as a rich source of information and helps collect real-time data. Identifies malicious activity even
if encryption is used. Wastes hackers’ time and resources. Improves security.

DISADVANTAGES:
Being distinguishable from production systems, it can be easily identified by experienced attackers.
Intrusion Detection Systems 3
IDS
Having a narrow field of view, it can only identify direct attacks.
A honeypot once attacked can be used to attack other systems.
Fingerprinting(an attacker can identify the true identity of a honeypot ).
Based on their deployment, Honeypots are divided into
Research honeypots: These are used by researchers to analyze hacker attacks and deploy different
ways to prevent these attacks.
Production honeypots: Production honeypots are deployed in production networks along with the
server. These honeypots act as a frontend trap for the attackers, consisting of false information and
giving time to the administrators to improve any vulnerability in the actual system.
Automated malicious code analysis system

1. Introduction
Definition: A system designed to automatically identify, analyze, and mitigate malicious code or software.
Purpose: To safeguard systems against cyber threats by detecting malware, viruses, trojans, ransomware, and
other harmful code.

2. Importance
Rising Threats: With the increasing complexity and frequency of cyberattacks, manual analysis is no longer
sufficient.
Speed and Scalability: Automating the process reduces analysis time and enables handling of large volumes of
data.
Accuracy: Minimizes human error, ensuring consistent detection and analysis.
Proactive Defense: Helps in identifying new (zero-day) threats before they cause damage.

3. Key Components
1. Data Collection:
Sources: Network traffic, emails, file uploads, websites, and logs.
Tools: Packet sniffers, log analyzers, and file scanners.
2. Static Analysis:
Examines code without execution.
Techniques:
Disassembly: Converts binary code into a human-readable format.
String Analysis: Searches for suspicious patterns like URLs or IPs.
Signature Matching: Compares against known malware signatures.
3. Dynamic Analysis:
Observes behavior by executing code in a controlled environment.
Techniques:
Sandboxing: Isolates code execution to monitor its behavior safely.
API Monitoring: Tracks calls made by the program to system resources.
4. Machine Learning:
Trains models to detect anomalies and classify benign/malicious code.

Examples:
Clustering similar behaviors.
Predicting new threats using supervised/unsupervised learning.
5. Visualization and Reporting:
Presents findings in an understandable format.
Dashboards and alerts for administrators.
Intrusion Detection Systems 4
IDS
4. Challenges:
Evasion Techniques: Malware authors use obfuscation, encryption, and polymorphism to evade detection.
False Positives/Negatives: Balancing precision and recall is difficult.
Resource Intensity: Dynamic analysis requires significant computational power.
Continuous Updates: Systems need regular updates to keep up with new malware techniques.

5. Applications
Enterprise Security: Protects company data and systems.
Government Defense: Detects nation-state cyber threats.
Cloud Security: Monitors and defends cloud infrastructure.
Individual Users: Tools like antivirus programs.

6. Tools and Frameworks

Open Source: Cuckoo Sandbox, VirusTotal API.
Commercial Solutions: FireEye, Palo Alto WildFire.
Programming Languages: Python, C++, or Java for building such systems.

7. Future Trends
AI-Driven Analysis: Greater reliance on deep learning for detecting sophisticated malware.
Behavioral Analysis: Shift towards analyzing program intentions over static/dynamic properties.
Real-Time Monitoring: Systems that work seamlessly in live environments.
Integration: Unified systems combining multiple analysis techniques.

Intrusion Detection Systems (IDS)

What is an Intruder ?

An Intruder is an automated system that attempts to gain unauthorized access to a

system, network or a resource.

Goal  To exploit vulnerabilities for malicious purposes such as stealing data,

disrupt services ,or causing damage.

Types of Intruders

 External Intruders:

Unauthorized users outside the organization who try to infiltrate systems.

Example: Hackers, cybercriminals.

 Internal Intruders:

Authorized users within the organization who misuse their access.

Example: Disgruntled employees or insiders exploiting privileges.

 Automated Intruders:

Malware or bots programmed to scan for and exploit vulnerabilities.

Example: Worms, ransomware, or phishing bots.

Intrusion Detection Systems 5

IDS
Intrusion Detection Systems (IDS)

An Intrusion Detection Systems IDS is a security tool that monitors a

computer network or system for unusual or harmful activities.

It identifies unauthorized access, potential threats, and abnormal behavior.

When suspicious activity is detected, it alerts administrators to take action.

Intrusion Detection Systems 6

IDS
Types of IDS

1. Network Intrusion Detection System (NIDS)

A NIDS monitors network traffic at strategic points, like subnets.

It examines data from all devices in the network and checks it against known
attack patterns.

How it works:

Observes passing traffic and detects abnormal behavior or known attacks.

Sends alerts to administrators if suspicious activity is found.

Example Installed near firewalls to detect attempts to bypass them.

NIDS is ideal for monitoring and securing entire network segments.

2. Host Intrusion Detection System (HIDS)

A Host Intrusion Detection System HIDS runs on individual devices in a
network.

It monitors incoming and outgoing packets specific to the device.

How it works:

Takes a snapshot of system files and compares it with previous snapshots.

Alerts the administrator if files are modified or deleted.

Example Used on mission-critical machines where system changes are rare.

HIDS is ideal for detecting suspicious activities on standalone devices.

3. Hybrid Intrusion Detection System (Hybrid IDS)

Combines multiple intrusion detection approaches (e.g., HIDS and NIDS.

How it works:

Intrusion Detection Systems 7

IDS
 Merges host system data with network information for a complete view of the
system.

Advantages:

More effective than standalone IDS types.

Example Prelude is a commonly used Hybrid IDS.

Hybrid IDS offers a comprehensive solution for detecting threats across hosts and
networks.

Detection Method of IDS

1. Signature-Based Detection Method

Detects attacks using specific patterns called signatures (e.g., byte

sequences or known malicious instructions).

Strengths:

Effective against attacks with pre-existing, known patterns.

Limitations:

Cannot detect new or unknown malware attacks since their patterns are
not yet available.

This method is fast and accurate for known threats but less effective for zero-day
attacks.

2. Anomaly-Based Detection Method

Designed to detect unknown malware by identifying unusual activity.

How it works:

Uses machine learning to create a model of normal, trustworthy activity. Flags

anything that deviates from this model as suspicious.

Advantages:

Intrusion Detection Systems 3

IDS
 Can adapt to different applications and hardware configurations.

More effective than signature-based methods for detecting new threats.

Anomaly-based IDS is ideal for identifying zero-day and evolving attacks.

IDS Advantages and Disadvantages

Aspect Advantage Disadvantage

Detectio Early threat detection and quick

Prone to false alarms
n response
Capabilit
y
Detection only, cannot block
Security Impact Strengthens overall
attacks
cybersecurity
Continuous 24/7
Monitoring Heavy resource consumption
network monitoring

System Provides detailed alerts Requires complex setup and

Management for investigation expertise

Needs constant updates

Maintenance Keeps security measures
and tuning
current

Difference Between IDS and Firewall

A Firewall:

Acts as a gatekeeper, blocking unauthorized access between networks.

Focuses on preventing intrusions from outside the network.

Does not alert if the attack originates inside the network.

An IDS:

Monitors for intrusions and alerts when a suspected attack occurs.

Works after an intrusion has been detected.

Both are key to network security but serve different purposes!

Conclusion

IDS is a vital component of a robust cyber security strategy.

Intrusion Detection Systems 4

IDS
 While not a standalone solution, it complements other tools like firewalls and
antivirus software.

Continuous evolution, especially with AI, ensures IDS remains relevant in

tackling advanced cyber threats.

IDS is Powerful but needs careful handling! 🚀

Intrusion Detection Systems 5

IDS
 Malicious Code Naming

Malicious code refers to harmful software or scripts that attack systems,

networks, or data. Proper naming conventions help classify, track, and

respond to these threats effectively.

Common Types of Malicious Code

 Viruses Attach to programs and spread when the host runs.

Example: Macro viruses, file-infecting viruses.

 Worms Replicate and spread independently across networks.

Example: Morris Worm, ILOVEYOU.

 Trojan Horses Disguised as legitimate software but

contain malicious components.

Example: Fake antivirus programs.

 Spyware Collects sensitive data without permission.

Example: Keyloggers, adware.

 Ransomware Encrypts files, demanding payment to restore access.

Example: WannaCry, Locky.

 Backdoors Enables unauthorized access by bypassing authentication.

Example: Rootkits.

 Logic Bombs Trigger harmful actions when specific conditions are met.

Example: Date-triggered attacks.

 Bots and Botnets Infected devices used for large-scale attacks.

Example: Mirai botnet.

Intrusion Detection Systems 6

IDS