Scribd
Upload
16 views12 pages

Unit 1.3

Memory forensics is a critical area of digital forensics that analyzes volatile memory (RAM) to capture a near real-time snapshot of a system, providing essential evidence such as running processes, user credentials, and network connections. Techniques for memory acquisition and analysis include tools like the Volatility Framework and methods for pattern matching and API hooking. However, challenges such as encrypted data and anti-forensic techniques can hinder the retrieval of memory artifacts during investigations.

Uploaded by

goru0313
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
16 views12 pages

Unit 1.3

Memory forensics is a critical area of digital forensics that analyzes volatile memory (RAM) to capture a near real-time snapshot of a system, providing essential evidence such as running processes, user credentials, and network connections. Techniques for memory acquisition and analysis include tools like the Volatility Framework and methods for pattern matching and API hooking. However, challenges such as encrypted data and anti-forensic techniques can hinder the retrieval of memory artifacts during investigations.

Uploaded by

goru0313
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 12

Introduction to

Memory Forensics
we’ve focused on sources of evidence that are nonvolatile—that is, they can be
recovered from both a dead disk image as well as from a live,
booted system.

Memory forensics is a branch of digital forensics that focuses


on the analysis of a computer’s volatile memory, also referred
to as RAM.

Memory forensics can be thought of as a current snapshot of a system that gives


investigators a near real time image of the system while in use.

Memory forensics is time sensitive, as the information that is required is stored in


volatile system memory, and if the system is restarted or powered off, then that
information is flushed from system memory.

Its accessible via the Windows API, directly parsing and reconstructing the contents
of memory yields the most reliable, tamper-resistant results.
What kinds of evidence can you obtain from memory? The list is extensive and ever growing as
memory forensics toolkits continue to evolve, but it includes the following:

1. Running processes and the system objects/resources with which they interact Active network
connections
2. Loaded drivers
3. User credentials (which may be hashed, obfuscated, or even appear in clear text)
4. Portions of nonvolatile sources of evidence such as the registry, event log, and
5. Master File Table
6. Remnants of previously executed console commands
7. Remnants of clear-text data that is otherwise encrypted on disk
8. Important data structures within the kernel that provide insight into process accounting,
behavior, and execution
Tools such as the Volatility Framework and Redline can analyze an acquired memory
image,
The Pagefile
It provides a secondary storage location, typically residing on a slower fixed
drive, for data used by running processes that cannot fit within physical memory.
Memory Acquisition Techniques
The angle of investigation that you take during this acquisition phase will depend mostly
on the scenario that you are presented with and the requirements of the case.
This depends largely on the operating system that your host is running

Dumping Memory Physical Memory Network Memory


Extraction Acquisition
Techniques like live
response, hibernation file Tools such as win32dd and Forensics tools enable the
extraction, and memory F-Response are utilized to extraction of memory
imaging are employed to access physical memory using network protocols
acquire the volatile including the RAM like InfiniBand and
memory of a system. modules for acquisition Remote Direct Memory
purposes. Access (RDMA).
Memory Analysis Tools and
Techniques
Volatile Data Examination
1 Tools like Volatility help in extracting critical information from memory dumps
helping with malware analysis and incident response. This is an open source suite of
programs for analyzing RAM, and has support for Windows, Linux and Mac operating systems. It can analyze
RAW, Crash, VMWare, and Virtualbox dumps with no issues.

2 Pattern Matching
Techniques involve analyzing memory through pattern matching to identify
specific attack vectors, rootkits, and malicious code.

3 API Hooking
Cyber forensics employ API hooking methods to monitor and analyze
memory for malicious activities and forensically extract the required data.
Forensic Analysis of Recycle Bin

1 Recycle Bin Contents


Analysts often recover deleted files, folders, and documents from the recycle
bin to retrieve potentially crucial evidence.

2 Metadata Examination
Examination of metadata of items in the recycle bin helps trace the origin and
the activities performed on the files prior to deletion.

3 Data Carving
Specialized forensic tools assist in recovering data from the unallocated space
and remnants present in the recycle bin.
Server Log Analysis for Memory Forensics

A server log file is a simple text document that contains all activities of a specific server in a given period of
time (e.g. one day). It is automatically created and maintained by the server, and it can provide you with a
detailed insight into how, when, and by whom your website or the application was accessed.
For example, server errors and user access records along with a host of additional data. Having the ability
to review these logs gives you the ability to determine what caused an issue on your server. You can also
use them to pinpoint a potential security issue.

Access Logs Security Incidents Communication


Traces
Forensic experts Analyzing server logs
leverage server access can reveal vital data Log files provide traces
logs for tracing about security events of communication
memory-related such as malware activities, helping to
activities, including infections and system recreate the sequence
unauthorized access intrusions through of events contributing
and data breaches. memory forensics. to memory forensics
analysis.
Memory Forensics for Google
Services
Gmail Investigations
Memory forensics is applied to extract artifacts from Gmail caches
providing insights into email-related activities and communication
traces.

Google Drive Analysis


Analysis of memory content associated with Google Drive assists in
assessing file sharing, file access, and file deletion patterns.

Memory Forensics for Chrome


Chrome's memory structures are analyzed to trace browser history,
cache, cookies, and downloads aiding in forensic investigations.
Challenges and Limitations of
Memory Forensics
1 Encrypted Data 2 Data Remnants 3 Anti-Forensic
Techniques
Encrypted storage Residual data in the
and communication form of deleted files Perpetrators employ
channels pose and temporary anti-forensic products
challenges in memory spaces and techniques to
accessing memory present challenges in prevent or distort the
artifacts during a accurately retrieval of memory
forensic investigation. reconstructing evidence during
memory events. investigations.

You might also like