Scribd
Upload
101 views37 pages

RAM Forensics for IT Professionals

This document provides an overview of tools and techniques for analyzing RAM during a digital forensic investigation. It discusses Win32dd for creating a memory dump, Volatility for parsing the dump, and the various commands Volatility provides like pslist, sockscan, connscan, and vaddump. It also mentions finding plaintext passwords and files in memory dumps. The document encourages further experimentation with RAM analysis and provides some additional specific tools.

Uploaded by

Ana Beatriz Fonseca
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
101 views37 pages

RAM Forensics for IT Professionals

This document provides an overview of tools and techniques for analyzing RAM during a digital forensic investigation. It discusses Win32dd for creating a memory dump, Volatility for parsing the dump, and the various commands Volatility provides like pslist, sockscan, connscan, and vaddump. It also mentions finding plaintext passwords and files in memory dumps. The document encourages further experimentation with RAM analysis and provides some additional specific tools.

Uploaded by

Ana Beatriz Fonseca
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

RAM Forensics

Capturing RAM
• HELIX
• WIN32DD
• FTK Imager 2.7.0
Win32dd.exe
• Light Client
• Included on the Helix CD in the IR folder
• Can be downloaded and placed on a USB drive
or a CD.
• Creates a standard DD memory dump.
Win32dd.exe
• Standard dump syntax

• Syntax to dump local memory to an attached


F Drive.

• Win32dd /d /f F:\memdump
Volatility – It’s Free
• Download and install
• Volatility, and Python 2.6
• Python is a scripting language and Volatility is
a plug-in for that scripting language.
• Make sure you throw a copy of the python
executable in the volatility directory, it will
make the command line a lot easier.
Let’s get started
• Install Python 2.6 from the class DVD

• Install Python 1.3 Beta from the Class DVD

• Place the file, memdump at the root of C:

• Create a folder at the root of C: called “evidence”

• Place a copy of Python in the Volatility directory


What can Volatility do for you
• Open connections
• Dump addressed memory
• List running processes
• List open files
• Much much more
• Let’s take a look at the default commands.
Let get started
• Move to the volatility directory

• “cd C:\volatility-1.3_Beta”

• Type “python volatility”


VOLATILITY COMMANDS
Volatility command line
• Syntax to run a command is listed below and
the default is print to screen
• python volatility (process) –f (path to image)
• python volatility datetime –f C:\memdump
• We can also redirect the output to txt files.
• python volatility datetime –f C:\memdump >
C:\Evidence\datetime.txt
datetime
• python volatility datetime –f C:\memdump

• Now lets create a text file

• python volatility datetime –f C:\memdump >


C:\evidence\datetime.txt
pslist
• PS list or process list is going to give us the
reference numbers we need through the rest
of the examination.
• PID – Process ID
• PPID – Parent process ID.
Run PS list

• python volatility pslist –f C:\memdump

• Run it and direct it to a text file

• python volatility pslist –f C:\memdump >


C:\evidence\pslist.txt
sockscan
• This is going to list open connections by PID
(Process ID)
• python volatility sockscan –f C:\memdump
• Dump it to a file
• python volatility sockscan –f C:\memdump >
C:\evidence\sockscan.txt
connscan
• This will give you a list of open connections
and IP addresses
• python volatility connscan –f C:\memdump
Other useful commands to try on your
own
• files, will dump a list of open files.

• dlllist, will print the open dll files.

• ident, will print the image information.


VAD Dump
• We’re going to dump the address space for
every process in to a RAW file that we can
then search.
• This will take up about the same amount of
space as your image.
• Syntax is a bit different for the output
• Python volatility vaddump –f C:\memdump –d
C:\evidence\
Virus
Virus
• Windows Defender loads some virus
signatures in to RAM and Windows Defender
is actually hitting on it’s own virus signatures
that we just carved out of RAM.
• I sent Microsoft the list and they confirmed
that the items I hit on were the one’s they
load.
Pull the entire Evidence folder in to
EnCase as single files.
• Lets search for some key words
• Passwd.

Does “%55%53%53%53%45%43%54%46%39%21%40”
Look familiar, it should, that’s google talk storing our
password as hex in plan text, let convert.
• 55=U
• 53=S
• 53=S
• 53=S
• 45=E
• 43=C
• 54=T
• 46=F
• 39=9
• 21=!
• 40=@
• Password for google talk and gmail account of, usssectf@gmail.com
is, “USSSECTF9!@”
We find some plain text in a the
WINWORD DUMP FILE.
We find an entire txt file in the dump
of the Notepad file.
Volatility Enscripts
• Takahiro Haruyama's Memory Forensics Toolkit.
• http://cci.cocolog-
nifty.com/blog/2010/02/encase-enscri-1.html

• Article about HB Gary missing rootkits


• http://cci.cocolog-
nifty.com/blog/2010/02/hbgary-responde.html
EnScripts Cont.
• Open the ZIP File, copy the three folders in to
your,
• C:\Program Files\EnCase6\Enscript” Directory
FTK3 RAM Analysis
Next steps
• This is just a preliminary introduction to
Volatility, and I encourage you to play with
some of the other processes like memdmp.
• Some other tools that can help with RAM
analysis are “strings” from sysinternals which
can take your memdmp output and kick out
the unicode to a text file.
• I am far from an expert, but let me know if I
can help with anything.
Other Specific Tools
• Skypeex, will run against a strings file and will
dump skype chat files (Included with DVD)
• Pdgmail, gmail from RAM.
(www.jeffbryner.com/code/pdgmail)

You might also like