Digital Forensics, Part 2: Live Memory Acquisition and Analysis

In some cases, the forensic investigator will need to grab an image of the
live memory. Remember, RAM is volatile and once the system is turned
off, any information in RAM will be likely lost. This information may include
passwords, processes running, sockets open, clipboard contents, etc. All of
this information must be captured before powering down the system or
transporting it.

In addition, many hard drives are encrypted with such things as TrueCrypt
and the password for these encryption regimes resides in RAM. If the hard
drive is encrypted, then capturing volatile data is even more crucial as the
hard drive information may be unavailable to the forensic investigator
without it.

There are many tools for capturing data from memory, but one company,
Access Data, has been providing their FTK (Forensic Tool Kit) Imager for
years for free and, as a result, it has become the de-facto standard in
image capturing. You can the FTK Imager at Access Data's website.

Step 1: Using the FTK Imager to Capture Memory

Once we have downloaded and installed FTK Imager, we should be

greeted by a screen like that below.
Next, click on the "File" pull down menu and go to the "Capture Memory"
selection.

It will open a window like that below. You will have to select where to store
your memory dump, what to call the file, whether you want to include the
page file (virtual memory), and whether you want to create an AD1 file
(AccessData's proprietary data type).
In my case, I created a directory called "memory dumps", named the file
memdump.mem, included the virtual memory or pagefile, but did not
create an AD1 file. I recommend you do something similar.

When you completed each of these, click the "Capture Memory" button.

This will start a window that will track the progress of your capture. If the
system has a lot of memory, that could take awhile.

Step 2: Volatility Memory Analysis Tool

Analyzing a memory capture is a bit different from a hard drive analysis.

One of the beauties of memory analysis is the ability to actually recreate
what the suspect was doing at the time of the system capture.

Among the most widely used tools for memory analysis is the open-source
tool appropriately named Volatility. It is built into Kali Linux, so there's
no need to download it. Simply transfer the memory image you captured
to your Kali machine and we can begin our analysis.

If you aren't using Kali, you can download volatility from

www.volatilityfoundation.org. It has been ported for Window, Linux,
and Mac OS X, so it will work on nearly any platform.

Step 3: Using Volatility for Analysis

To use Volatility, navigate to /usr/share/volatility

kali > cd /usr/share/volatility

Since Volatility is a python script, you will need to preface the command
with the keyword python. To view the help page, type:

kali > python vol.py -h

This will display a long list a command options.

And plugins.
Before we can do any work on this memory image, we first need to get
the profile of the image. This will retrieve key information from the image.
This profile will then help volatility to determine where in the memory
capture key information resides, as each operating system places
information in different address spaces.

To get the profile, type:

kali > python vol.py imageinfo -f /location of your imagefile

For instance, I put my image on my desktop, so my command would be:

kali > python vol.py imageinfo -f /root/Desktop/memdump.mem

This command will examine the memory file for evidence of the operating
system and other key information.

As you can see in the screenshot above, Volatility identified the OS as

Win7SP0x64 (Windows 7, no service pack, 64-bit). It also identifies AS
layer1 and 2, the number of processors, the service pack, and the physical
address space for each processor, among many other things.

Step 4: Using the Profile

Now that we have recovered the profile of this memory dump, we can
begin to use some of the other functionality of Volatility. For instance, if we
wanted to list the registry hives including SAM, we could use the hiveinfo
plugin by typing:

kali > python vol.py --profile Win7SP1x64 hivelist -f /location of

your image/
Note that Volatility was able to list all of the hives including their virtual
and physical location in RAM.

Parsing out the image profile is crucial, as each operating system stores
information in different places in RAM. Volatility needs to know the profile
(OS, service pack, and architecture) to know where to look in the memory
image for the necessary information. If you put in the wrong profile
information, Volatility will throw errors telling you it can't parse the
information properly. In that case, try another image profile.
Unfortunately, the profile image that this tool provides is not
always correct.

Step 5: Getting the List of Processes

As our next step, let's see if we can find the processes that the suspect
had running when we captured the RAM image. We can do this by typing:

kali > python vol.py --profile Win7SP1x64 pslist -f

/root/Desktop/memdump.mem
Let's break that down:

 python is the interpreter.

 vol.py is the name of the Volatility script.

 --profile Win7SP1x64 is the profile of the system the memory

image was captured from.

 pslist is the plugin to parse out the running processes.

 -f /root/Desktop/memdump.mem is the location of the image file.

As you can see, Volatility has parsed out all the running processes. To
gather even more information from the RAM image, we can use exactly
the same command as above with the exception of changing the name of
the plugin.

To get a list of available plugins you could use, type:

kali > python vol.py -h

Step 6: Getting the Running DLLs

To view the running DLLs on the system, we simply use the dlllist plugin
like below:

kali > python vol.py --profile Win7SP1x64 dlllist -f

/root/Desktop/memdump.mem

As you can see, Volatility parsed out a list of all the running DLLs.
Step 7: Getting the Contents of the System's Clipboard

Sometimes, what the suspect had in their clipboard can be incriminating.

We can retrieve the information from the suspect's RAM by using the
clipboard plugin like below.

kali > python vol.py --profile Win7SP1x64 clipboard -f

/root/Desktop/memdump.mem

Unfortunately, all this information is in hexadecimal and must be

translated to ASCII.

Step 8: Getting a Timeline of Events

Often times, to prove that a suspect actually committed the action they
are accused of, we may need a timeline of events that took place on that
system. We can retrieve this timeline information from the memory image
by using the timeliner plugin like below.

kali > python vol.py --profile Win7SP1x64 timeliner -f

/root/Desktop/memdump.mem
Note that each process is time stamped.

Step 9: Looking for Malware in the Memory

Lastly, let's look for any malware running in the memory of the suspect
system. Volatility has a plugin especially designed for this purpose,
appropriately named malfind. We can use it like any other Volatility
plugin. Simply type the same command as above but replace the name of
the plugin with malfind.

kali > python vol.py --profile Win7SP1x64 malfind -f

/root/Desktop/memdump.mem
As you can see, this suspect had numerous pieces of malware running on
their system. This information may actually be exculpating as the
presence of malware would indicate that someone else had control of the
system and may have committed the actions the suspect is accused of.

Volatility is a powerful memory analysis tool with tens of plugins that

enable us to find evidence of what the suspect was doing at the time of
computer seizure