Notes - MCS
Computer Systems Forensic Analysis
Notes - MCS
Computer Systems Forensic Analysis
  • Computer Systems Forensic Analysis
  • Overview of Cybercrime
    • Cyberspace
    • Information Security Principles
    • Cybercrime vs. Computer Crime
    • Cybercrime slang
      • Images
    • Digital Evidence
  • Introduction to Digital Forensics
    • Concepts
    • Digital Forensic
    • Digital Investigation
    • Digital Crime Scene Investigation Methodology
    • Digital Evidence Handling
    • Ethical Code
  • Obtaining Evidences
    • Introduction
    • Boot Process
    • Secuere Boot Process
    • Windows Boot Process
    • Forensic Boot Tools
    • Bootable CD-ROMS - Linux Based
    • ADS
    • Forensic Sorting Tools
    • Forensic Acquisition
    • Dealing With Media Errors
    • Hidden Areas
    • Write Protection of Evidence Media
    • Storing Acquired Data
    • Image File Acquisition
    • Hash Values
  • Data Organization
    • Data Organization
    • File System
    • File Content
    • Endianness
    • Character Encoding
    • Data Structures
    • Date and Time
    • Encoding
  • Storage Devices
    • BIOS versus direct access
    • Hard Disk Geometry
    • Advanced Technology Attachment Interface
      • Device Configuration Overlay
    • Small Computer Systems Interface
    • NAND Flash memory
    • Level wearing
    • HDD vs SSD
    • Pen USB vs SSD Comparison
    • SSD Connectors, Interfaces, and Transfer Protocols
  • Volumes and Partitions
    • Concepts
    • Partition Tables
    • Sectors Addresses
    • Logical addresses
    • Volume Analysis
    • Types of Partition Tables
    • Common Partition Tables (MBR)
    • Boot Code
    • MBR examination
    • Removable Storage
    • Common Partition Tables (GPT)
    • Common Partition Tables (BSD)
    • Volumes’ Aggregation
  • RAM Analysis
    • RAM Analysis
    • General Computer Architecture
    • DMA – Direct Memory Access
    • Paging
    • Memory Acquisition
  • Mobile Forensics
    • Forensic value of phones
    • International Mobile Equipment Identifier
    • Potential Evidence
    • Forensics Dangers
    • Data Acquisition
    • Logical acquisition
    • Physical acquisition
    • Hashing
    • Software tools
  • Open Source INTelligence
    • Classical sources of information and intelligence
    • Evolution of OSINT - Open Sources Intelligence
    • Information sources
    • Closed source of information
    • Open sources
    • Information to Intelligence Cycle
    • Skills of the Analyst
    • Open Source Possibilities
    • Automated Processing
    • DarkNet
  • Documentation and Reporting
    • Introduction
    • Physical examination
    • Examining a computer
    • Media Examination
    • Examples of things to write in the report
    • Forensic Report
Powered by GitBook
On this page
  • Preservation
  • Software-based memory acquisition
  • Risks
  • When to acquire memory
  • How to acquire memory
  1. RAM Analysis

Memory Acquisition

Last updated 1 year ago

Preservation

Memory acquisition (also known as dumping, capturing, sampling).

  • copy the contents of the volatile memory to a non-volatile storage.

  • an important source to get a better understanding of what happened.

  • decision must be made about which data to collect and the best method for doing so:

    • methods and tools depend on the goals of the investigation and the characteristics of the system.

    • choosing a proper tool is important to avoid corrupt memory images, destroyed evidence, and limited if any, analysis capabilities.

Software-based memory acquisition

Decisions to make:

  • remote or local – do you have physical access to the target system? Is it a server with no keyboard or monitor attached?

  • cost – do you have budget restrictions on the acquisition software you can buy?

  • file format – does your analysis tool support the file format of the acquisition tool?

  • CLI or GUI – do you prefer command-line or graphical user interface tools? A CLI tool might have a smaller footprint, besides you might not have a graphical engine running acquisition or runtime.

  • interrogation – Do you need a full physical memory dump or just the ability to determine the running processes, and network connections?

Risks

Before you acquire physical memory, you should always consider the risks.

  • most OSs do not provide a supported native mechanism for acquiring physical memory.

  • memory acquisition tools might leave the system unstable.

  • poorly written malware can be unstable and may behave unpredictably.

  • is the target a mission-critical system that can be shut down or rebooted only in extreme circumstances?

There might be circumstances in which the consequences (i.e., death, environmental damage) of destabilizing a system are never worth the risk.

Why memory acquisition can lead to system instabilities and evidence corruption?

  • atomicity – memory acquisition is not an atomic operation and the contents of RAM are constantly changing. During acquisition, other processes are writing memory, the kernel is adding/removing linked-list elements, network connections are being initiated or torn down, and so on.

  • cache coherency – processors were not designed to accommodate the simultaneous mapping of the same physical address with multiple cache attributes (non-cached, cached, write-combined). A poorly written acquisition tool can easily invalidate the very memory being acquired.

  • device memory – there are physical memory regions reserved for use by the firmware, by the ISA or PCI busses, or by various motherboard devices. Reading from one of these regions may alter the state of the device you are accessing.

    • few tools can acquire these regions with reliability and accuracy.

When to acquire memory

Choosing the proper time depends on several factors.

List of suggestions:

  • plan the acquisition when the suspect is online (or at least logged in), which can give you access to:

    • the suspect’s login session, information about cloud services, or remote storage.

    • and any encrypted documents that the suspect might have been viewing.

  • avoid the most active periods:

    • so that the suspect doesn’t detect your activity.

    • to minimize the number of anomalies you encounter when you analyze the evidence.

How to acquire memory

Local acquisition to removable media:

  • never dump memory to the target system’s local drives, such as the C: partition.

  • dumping memory to an external USB, ESATA, or Firewire drive.

  • the file system of the external drive must support file sizes equal to the amount of RAM (FAT32 has a limit of 4 GB).

  • advice:

    • removable media should be used only on one computer to avoid spreading malware.

    • wipe removable media before using (or re-using) it to acquire evidence.

    • do not plug possibly infected removable media directly into your forensic workstation, inspect it on another computer, then copy the evidence over an isolated network.

Runtime interrogation:

  • use automated tools that log all the performed steps.

Remote acquisition:

  • typically, the acquisition tool is pushed over the network to the target system.

  • the tool can run through a scheduled task or service.

  • the dump can be stored on a network share (last resort) or via a stream with Netcat, but this method has some risks.

    • administrator credentials and the contents of the target system’s RAM may be exposed.

    • create a temporary admin account and use an encrypted channel with a tool that supports TLS.

    • configure the firewall to limit the traffic between the target and the remote acquisition system.

  • the use of compression is recommended.

Memory acquisition decision tree
Physical memory layout