0% found this document useful (0 votes)
4 views17 pages

Topic 9. Mem-Forensics

The document discusses memory forensics, focusing on the process of capturing and analyzing a computer's physical memory (RAM) to extract forensic artifacts. Key concepts include user/kernel mode, virtual memory, and various formats for memory capture. It highlights tools like Volatility and Autopsy for analysis and provides a practice example for hands-on learning.

Uploaded by

khoiclever
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
4 views17 pages

Topic 9. Mem-Forensics

The document discusses memory forensics, focusing on the process of capturing and analyzing a computer's physical memory (RAM) to extract forensic artifacts. Key concepts include user/kernel mode, virtual memory, and various formats for memory capture. It highlights tools like Volatility and Autopsy for analysis and provides a practice example for hands-on learning.

Uploaded by

khoiclever
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 17

Topic 9.

Mem-Forensics
( Memory Forensics with Volatility )

Because teaching teaches


teachers to teach
Key concept

• Memory management at glance


• User/kernel Mode
• Virtual Memory to physical memory
• What can be found in memory
• Memory Forensics
• The Process of Memory Forensics
• Various Formats
• Capture memory
• Analysis memory
• Practice Example
Memory management at glance
User/kernel Mode

 Memory protection.
 Location of both the modes in RAM.
 Page directory and Page Table?
 User mode vs Kernel mode?
User/kernel Mode (Cont)
User/kernel Mode (Cont)
User/kernel Mode (Cont)
Virtual Memory to physical memory
Virtual Memory to physical memory (Cont)
What can be found in memory

 The running processes.


 The running threads.
 The passwords/key and other information.
 Live registry hives.
 Live chats and login information.
 Malware presence
…
Memory Forensics

 Memory forensics refers to finding and extracting forensic


artifacts from a computer’s physical memory (RAM). It contains
critical information about the runtime state of the system.
 By capturing an entire copy of RAM and analyzing it on a
separate computer, it is possible to reconstruct the state of the
original system:
 Applications were running.
 Network connections were active, and
 Many other artifacts.
The Process of Memory Forensics

 Capture memory.
 Analyze the memory.
 Reconstruct of the memory state.
Various Formats

 Raw Dump (Linear format, .img, .dd)


 Window crush dump format (.bin)
 Hiberfil.sys
 Commercial tools format
Capture memory

Use some tools:


 MemoryDump.
 Win32dd/win64dd.
Analysis memory

A collection of open source forensic tools:


 Autopsy provides an easy-to-use GUI for the investigator.
 Volatility: a free tool for extraction of digital artifacts from
volatile memory samples.
Practice Example

 Go to labs.
Q&A

You might also like