Computer Forensics: Memory Forensics
What is Memory Forensics?
Memory forensics is a vital form of cyber investigation that allows an investigator to identify unauthorized and anomalous activity on a target computer or server. This is usually achieved by running special software that captures the current state of the system’s memory as a snapshot file, also known as a memory dump. This file can then be taken offsite and searched by the investigator.
This is useful because of the way in which processes, files and programs are run in memory, and once a snapshot has been captured, many important facts can be ascertained by the investigator, such as:
- Processes running
- Executable files that are running
- Open ports, IP addresses and other networking information
- Users that are logged into the system, and from where
- Files that are open and by whom
Already we can see how much this information can help an investigator as they seek out system anomalies, and by being able to capture the volatile information inside the system’s memory, they are able to create a permanent record of the system’s state as it was.
This means that suspicious programs such as computer viruses and malware can be tracked down in a lab environment and traced back to the source if possible. This is vital in instances where malware leaves no trace of its activity on a target system’s hard drive, making memory forensics especially important as a means to identify such activity.
We offer an excellent introduction to computer forensics with our computer forensics boot camp course, and we highly recommend it as your starting point for pursuing your CCFE certification. More information can be found here https://www.infosecinstitute.com/courses/computer-forensics-boot-camp.
How is Memory Forensics Different from Hard Drive Forensics?
Memory forensics can be thought of as a current snapshot of a system that gives investigators a near real time image of the system while in use. Hard drive forensics is normally focused on data recovery and decryption, usually made from an image of the drive in question.
One can think of memory forensics as a live response to a current threat, while hard drive forensics can be seen as more of a post mortem of events that have already transpired. Memory forensics is time sensitive, as the information that is required is stored in volatile system memory, and if the system is restarted or powered off, then that information is flushed from system memory. Hard drives, on the other hand, are a non-volatile form of computer storage. There are some volatile elements to hard drives, such as cache and buffer stores, so this also needs to be taken into account by the forensic investigator.
Depending on the nature of the investigation, either technique can be used to gain further information about the system in question. Likewise, both methods can be used on the same system if necessary, and investigators will have to use their discretion and select the appropriate action where necessary.
Memory Forensics: Acquisition Methods
The angle of investigation that you take during this acquisition phase will depend mostly on the scenario that you are presented with and the requirements of the case. This depends largely on the operating system that your host is running, or what the perceived issue is that needs to be investigated at the time of the incident. How you go about capturing the image also depends on what you are trying to establish through your investigative process, and what it is that you are trying to prove or disprove.
Generally your investigation will focus on the activities of the user on the system, or evidence that proves that the system in question has been compromised. Sometimes even encryption keys and passwords can be uncovered if they are part of the evidentiary requirements of your case. There must be a clear understanding of what needs to be established on the target system, and how it can help to advance your investigation.
Forensic investigators are highly skilled and can identify activity on a system that should not be present, allowing them to prove that a system has been compromised. It allows them to identify rootkits and malware, to find unusual processes, and reveal covert communication, which can shed light on what is happening currently in a target system.
Here are some examples of acquisition formats that are used in memory forensics. There are many different memory acquisition types, but these are five of the most common methods and formats that are used today:
- RAW Format – Extracted from a live environment
- Crash Dump – Information gathered by the operating system
- Hibernation File – A saved snapshot that your operating system can return to after hibernating
- Page File – This is a file that stores similar information that is stored in your system RAM
- VMWare Snapshot – This is a snapshot of a virtual machine, which saves its state as it was at the exact moment that the snapshot was generated
Once you have acquired your data, you can begin the process of examining the system, and any suspicious activities will then be uncovered as you proceed. Data carving is a commonly used approach, and depending on the desired outcomes of your particular case, there are many other approaches that can be looked at as well. Below is a list of some commonly used tools in the field that allow for these different approaches to be utilized.
The Best Memory Forensic Tools on the Market
There are both free and commercial products available on the market, and many forensics investigators will have their own personal preferences. Some investigators may find that they need to use commercial products only, however many professionals will use a wide array of both free and paid tools to get the job done. Here are some examples:
- Volatility Suite: This is an open source suite of programs for analyzing RAM, and has support for Windows, Linux and Mac operating systems. It can analyze RAW, Crash, VMWare, and Virtualbox dumps with no issues.
- Rekall: This is an end-to-end solution for incident responders and investigators, and features both acquisition and analysis tools. It can be thought of as more of a forensic framework suite than just a single application.
- Helix ISO: This is a bootable live CD as well as a standalone application that makes it very easy for you to capture a memory dump or memory image of a system. There are some risks associated with running this directly on a target system, namely an acquisition footprint, so make sure that it fits your requirements.
- Belkasoft RAM Capturer: This is another forensic tool that allows for the volatile section of system memory to be captured to a file. First responders will find that the functionality and wide range of tools available in this software package will allow for their investigations to start off as quickly as possible.
- Process Hacker: This is an open source process monitoring application that is very useful to run while the target machine is in use. It will give the investigator a better understanding of what is currently affecting the system before the memory snapshot is taken, and can go a long way to help uncover any malicious processes, or even help to identify what processes have been terminated within a set period of time.
Once you have captured the data that you need, you can start to examine it, while trying to find meaningful information on the target PC that you are interrogating.
Memory Forensics: Examining Your Captured Data
There are many avenues for an investigator to take when it comes to analyzing a target system, so many in fact that there are entire book series’ that are dedicated to the subject. We will instead take a look at some common approaches that can be used by an investigator when trying to glean more information via memory forensics.
- Open Files Associated With Process: This is an extremely useful approach, as it shows which files are open by a suspicious process on the target system. Malware can often be identified just by the location of the associated files that are open, and knowing where these files are located is also beneficial to the overall investigation, especially if these files are storing logs of user inputs via the keyboard. This would mean that the user’s passwords could have been inadvertently divulged to the malware authors that created the software. This will help to strengthen the case that the investigator is building.
- Decoded Applications in Memory: Sometimes, the author of the malware that is present on the target system will be encrypted, making it impossible for anyone but the perpetrator to successfully make use of the data that it has been collecting. However, sometimes a decrypted version of the application can be caught in the memory snapshot, which allows the investigator to more accurately examine the application’s activities. The investigator might even be able to identify the hash or cipher that was used for the encryption, thus allowing them to read previously inaccessible data associated with the malware instance on the target machine.
- Timestamp Comparison: In some instances, malware can interfere with the target host’s timestamps on the system files, making them appear to be untouched by the infection. This is known as time stomping, and can seriously inhibit an investigator’s ability to discover when the infection first occurred. By capturing the memory dump, investigators can compare the process time stamps to the system file timestamps to establish when the system was first compromised. Once a date and time has been established, records such as emails and browser history can be looked at to help identify the possible cause of the infection by finding any correlations in time and date between the process timestamps and the application time frames.
- Network Information: Once the infected processes have been identified, then the specific network communications surrounding the infection can be further dissected. This can reveal a virtual treasure trove of information, such as:
- Source IP Addresses such as where the malware instance is reporting back to
- Compromised ports on the host machine
- The frequency at which the malware was communicating over the network
- Understanding how the infection spreads itself over the network
- User Activity: By looking at the information that was acquired during all of the previous steps, the forensic investigator can start to piece together a fairly accurate series of events that led to the main incident. This can be determined via the system log files that were captured earlier, and can help to ascertain to what extent, if any, that a user on site may have been involved. Remote unauthorized access can also be detected, which can help with determining the extent to which the network protocols of the organization have been compromised.
Once the findings have been made, the investigator can work with his or her team to establish if there are any other sources of information that need to be looked at further, and if any additional techniques need to be applied to the target machine or data set.
Memory forensics is a crucial skill for first responders and investigators alike, as it allows for the quick and complete capturing of live system data for later scrutiny. And while this is a very important skill to learn, it is just one of the tools that you will be taught when enrolling in one of the many forensic training courses that are offered in the CCFE.
The skills learned in the CCFE are critical for anybody seeking to certify their knowledge, or to learn from scratch as a student in the field of computer forensics. There are so many reasons to take this course, and thanks to our boot camp, getting started has never been easier. For those that are interested in reading further on the topic of Memory Forensics, please take a look at some of our articles below.