Memory forensics is a vital form of cyber investigation that allows an investigator to identify unauthorized and anomalous activity on a target computer or server. This is usually achieved by running special software that captures the current state of the system’s memory as a snapshot file, also known as a memory dump. This file can then be taken offsite and searched by the investigator.
This is useful because of the way in which processes, files and programs are run in memory, and once a snapshot has been captured, many important facts can be ascertained by the investigator, such as:
Already we can see how much this information can help an investigator as they seek out system anomalies, and by being able to capture the volatile information inside the system’s memory, they are able to create a permanent record of the system’s state as it was.
This means that suspicious programs such as computer viruses and malware can be tracked down in a lab environment and traced back to the source if possible. This is vital in instances where malware leaves no trace of its activity on a target system’s hard drive, making memory forensics especially important as a means to identify such activity.
We offer an excellent introduction to computer forensics with our computer forensics boot camp course, and we highly recommend it as your starting point for pursuing your CCFE certification. More information can be found here https://www.infosecinstitute.com/courses/computer-forensics-boot-camp.
Memory forensics can be thought of as a current snapshot of a system that gives investigators a near real time image of the system while in use. Hard drive forensics is normally focused on data recovery and decryption, usually made from an image of the drive in question.
One can think of memory forensics as a live response to a current threat, while hard drive forensics can be seen as more of a post mortem of events that have already transpired. Memory forensics is time sensitive, as the information that is required is stored in volatile system memory, and if the system is restarted or powered off, then that information is flushed from system memory. Hard drives, on the other hand, are a non-volatile form of computer storage. There are some volatile elements to hard drives, such as cache and buffer stores, so this also needs to be taken into account by the forensic investigator.
Depending on the nature of the investigation, either technique can be used to gain further information about the system in question. Likewise, both methods can be used on the same system if necessary, and investigators will have to use their discretion and select the appropriate action where necessary.
The angle of investigation that you take during this acquisition phase will depend mostly on the scenario that you are presented with and the requirements of the case. This depends largely on the operating system that your host is running, or what the perceived issue is that needs to be investigated at the time of the incident. How you go about capturing the image also depends on what you are trying to establish through your investigative process, and what it is that you are trying to prove or disprove.
Generally your investigation will focus on the activities of the user on the system, or evidence that proves that the system in question has been compromised. Sometimes even encryption keys and passwords can be uncovered if they are part of the evidentiary requirements of your case. There must be a clear understanding of what needs to be established on the target system, and how it can help to advance your investigation.
Forensic investigators are highly skilled and can identify activity on a system that should not be present, allowing them to prove that a system has been compromised. It allows them to identify rootkits and malware, to find unusual processes, and reveal covert communication, which can shed light on what is happening currently in a target system.
Here are some examples of acquisition formats that are used in memory forensics. There are many different memory acquisition types, but these are five of the most common methods and formats that are used today:
Once you have acquired your data, you can begin the process of examining the system, and any suspicious activities will then be uncovered as you proceed. Data carving is a commonly used approach, and depending on the desired outcomes of your particular case, there are many other approaches that can be looked at as well. Below is a list of some commonly used tools in the field that allow for these different approaches to be utilized.
There are both free and commercial products available on the market, and many forensics investigators will have their own personal preferences. Some investigators may find that they need to use commercial products only, however many professionals will use a wide array of both free and paid tools to get the job done. Here are some examples:
Once you have captured the data that you need, you can start to examine it, while trying to find meaningful information on the target PC that you are interrogating.
There are many avenues for an investigator to take when it comes to analyzing a target system, so many in fact that there are entire book series’ that are dedicated to the subject. We will instead take a look at some common approaches that can be used by an investigator when trying to glean more information via memory forensics.
Once the findings have been made, the investigator can work with his or her team to establish if there are any other sources of information that need to be looked at further, and if any additional techniques need to be applied to the target machine or data set.
Computer Forensics Training
Memory forensics is a crucial skill for first responders and investigators alike, as it allows for the quick and complete capturing of live system data for later scrutiny. And while this is a very important skill to learn, it is just one of the tools that you will be taught when enrolling in one of the many forensic training courses that are offered in the CCFE.
The skills learned in the CCFE are critical for anybody seeking to certify their knowledge, or to learn from scratch as a student in the field of computer forensics. There are so many reasons to take this course, and thanks to our boot camp, getting started has never been easier. For those that are interested in reading further on the topic of Memory Forensics, please take a look at some of our articles below.
http://resources.infosecinstitute.com/memory-forensics-power-introduction/
http://resources.infosecinstitute.com/memory-forensics/
http://resources.infosecinstitute.com/memory-forensics-and-analysis-using-volatility/
For those that are interested in taking any of the mentioned courses in this article, please take a look at https://go.pardot.com/l/12882/2017-05-03/34fy1j?_ga=2.196867436.1955680880.1497708508-1413026610.1497708508 for our pricing, and if you have any queries please feel free to contact us here and we will be happy to assist you further.
