Unit 2: MEMORY FORENSICS

1. MEMORY FORENSICS

Computer memory contains many important data that are relevant to forensic investigation. In a
volatile memory, data are allocated and de-allocated dynamically and the data are not structured the
way they are found in file-systems. Mostly it becomes impossible for the investigator to predict
where exactly the data are stored in a volatile memory. Attackers may hide data in the memory by
means of memory injection or by means of malicious codes like viruses, and worms that reside only
in the memory and not on hard disk so as to avoid anti-virus software to detect the malicious code.
Analyzing a hard disk by the traditional forensic method does not reveal malicious code if the at-
tacker has placed it in the memory. Memory forensics is one method of investigation which can
help forensic investigators to detect such files.

1.1. SEARCHING MEMORY FOR EVIDENCE

Attackers know about the vulnerability in the forensic examiners’ approach to seizing computers –
namely how data in the volatile memory RAM will be lost upon system shutdown. There are many
hacker tools like DLL injections, hooks and other methods that execute code only in the memory
without accessing the hard drive or other non-volatile storage media. Since forensic examiners will
interact with system and system files accessed on the hard disk while carrying out forensic investi-
gation which may alter the file time stamps, it is recommended not to interact with live system to
preserve the accuracy of time stamps of system files. But in many cases, investigators might require
to violate this rule for capturing the live data from the memory.

Shadow Walker is a rootkit that runs in memory and leaves no trace in the system. It hides its pres-
ence by creating fake views of system memory. It is a detection tool that pretends that it is accurate-
ly reading memory. This tool does not alter the flow of program execution and data structures in
memory. All programs receive an inaccurate mapping of memory leading to memory cloaking. The
aim of memory cloaking is to hide the rootkit’s own code or some other related modules. Normal
utilities will fail to identify the rootkit. Memory forensics is one method to identify the rootkit.

1
1.2. LIVE RESPONSE

Live response is the method used to interact with live systems to collect information on changes
that has occurred possibly due to passage of time, running processes, data being saved and deleted,
as network connections timed-out, etc. Running a program causes information to be loaded into
physical memory that may also be used by other programs at the same time. Changes that occur to a
system as the system itself apparently sits idle are referred to as evidence dynamics.

It is a response to the immediate threat and the active threat. Many times the details of the live
threats are unknown, so the first step is to identify and quantify these threats. Using live response
memory analysis techniques, investigators can retrieve process listing showing what processes are
running and then identify the suspicious ones. Once we have identified the suspicious process, a
sample of the code is pulled from running memory and then the analysis can be performed. Pulling
codes from the volatile memory requires no special processing since it is unencrypted and un-
packed.

1.3. DATA ACQUISITION FROM MEMORY

Forensic investigators should adhere to the practice to collect data from volatile memory RAM be-
fore effecting any change that may arise while performing an interaction with the system during in-
vestigation. Software tools that are used for investigation will cause changes in the volatile
memory. When the software will be run, it will be loaded in the volatile memory therein causing
changes. There are many tools for capturing data from memory. One of the commonly used tools is
FTK (Forensic Tool Kit).

Steps:
1. Download FTK and install FTK imager.

2
2. Click on File menu and then select Capture Memory.

3
3. It will open the following window below.

4
The following window shows the progress of your capture.

While performing memory forensics, there are several useful data that have to be collected to get
an accurate result. These data include: system time, network information, network connections,
network status, memory processes, logged-on users, opened files, command history, share history,
mapped drives, clipboard content.
Table 2.1: Useful Data for Memory Forensics

Data Details

System Time System time is the first data collected so as to acquire an accurate time-
line of events that have occurred on system. It notes the actual time at
which events occurred and these are recorded in the log files. It is im-
portant to combine time stamps from more than one source.

System Information time zone, installed software, general system information, operating
systems version, uptime, file system information

Logged-on users [Link] is one of the best tools that shows the name of the user
logged on locally as well as users who are logged on remotely.

Net Sessions Net sessions command is native to Windows systems and is used to see
username used to access the system through a remote login session, IP ad-
dress and type of client from accessing system.

LogonSessions [Link] is a tool that lists all the active logon sessions on a sys-
tem. It will not show users that are logged on via a backdoor.

5
Open Files [Link] and [Link] are net file commands that are used to see
files open on a system through remote connection.
PsFile command shows a list of files on a system that are opened remote-
ly, and it also allows you to close the opened files either by name or by a
file identifier.

Network Connection Traceroute – tracert command is a Command prompt command that shows
details about the path that a data packet takes from the computer or device you're
on to whatever destination you specify.
ARP command lists computers that are/have recently connected to the sys-
tem.
Ipconfig command displays information about network state and the MAC
address of the computer.
tracert:

ARP:

6
 ipconfig:

netstat Netstat displays the active computer connections. Investigators can obtain
the list of protocols running and open ports.

7
Process Information There are several different types of processes running in the volatile
memory of a computer. All currently running processes may be recovered
from data structures that house them. Terminated processes may still reside
in memory if the computer has not been rebooted since and the memory
space is not yet reallocated.
[Link] or [Link] command displays information about running
processes.

8
Capturing processes [Link] command provides basic information about running processes
on a computer system, including the amount of time each process has
been running.
[Link] command shows the modules or DLLs, a process is using. It
will show the full path to the image of the loaded module as well as
whether the version of the DLL loaded in memory is different from that
of the on-disk image.

Clipboard content Data (username, password, text contents, etc) copied or cut stays in clip-
board until it is replaced by a different content.
[Link] command retrieves the contents of the Clipboard.

Command history doskey /history command shows the history of the previously typed com-
mands at the command prompt.

9
 3.1.1. Data Acquisition Methods

Passwords and Cryptographic Keys can recover user passwords and keys that are used to decrypt
files access and user accounts. These passwords and keys are normally stored on disk with higher
protection. Unencrypted content may recover encrypted files without password or cryptographic
key when the files are opened as an opened file is unencrypted and loaded into the volatile memory.

There are 2 methods of data acquisition: Hardware- based acquisition and Software- based acquisi-
tion.
In a forensics perspective, it is better to use hardware- based acquisition since it is more reliable and
difficult for an attacker to corrupt. Hardware-based acquisition suspends the processor and uses di-
rect memory access to obtain a copy of memory. It is more reliable as even if the operating system
and software are compromised or corrupted by an attacker, we still get an accurate image of the
volatile memory. Hardware based acquisition are however costly. Whereas Software-based acquisi-
tion is more popular since it is more cost-effective and easily available.

[Link].Hardware-Based Acquisition

For a hardware-based acquisition, the PCI card is plugged in the computer system and a copy of the
memory is transferred to an external storage device. The card is installed into a PCI bus slot before
an incident occur and is disabled until a physical switch on the back of the system is pressed. The
card cannot easily be detected by an attacker and the acquisition procedure does not rely on un-
trusted resources. A card normally does not respond to bus queries from host system. When the de-
vice is enabled, it becomes a visible connection to the PCI bus. It is typically installed into a
client’s critical servers. After an attack is suspected on the system, the administrator will press the
physical switch therein the system state is saved by retrieving and storing the current memory im-
age and processor registers. The card is then ejected from the system and sent to the forensic lab for
detailed analysis.

[Link].Software- Based Acquisition

Software-based acquisition is often carried out using a trusted toolkit by forensic examiners. Special
forensics CDs/pen drives are used to run the software commands. This method can also collect vol-
10
atile memory content using tools built in the operating system. Drawbacks of software- based ac-
quisition are that it may alter contents of memory, and potentially overwrite data relevant to an in-
vestigation.

11