MEMORY FORENSICS STEP BY STEP

Dear reader,

What you have in front of you is a brand new edition of „Memory Forensics”. Due to the fact that our last edition covering an issue of Memory Forensics appeared to be a successful one, we have decided to write about it once more – different points of view, different experts and different problems this time. We believe that reading this will be both – interesting and beneficial for all of you. This time we are giving you practical tips, interesting points of view and useful information. From a step by step guidance in Memory Forensics to Integrating Digital Forensics with Archival Science. All this to make you satisfied with what you see. Hopefully you will find this one special and broadening your digital horizons.

Check what you can find inside:

1. DEMYSTIFYING THE MEMORY ON YOUR COMUTER by Amit Kumar Sharma

„Memory Forensics is an art of demystifying the questions that may have some traces left in the memory of a machine and thus involve the analysis of memory dumps of machine that may be a part of the crime.
Earlier, memory in question used to be only on hard disks or permanent storage where attackers use to leave traces by mistake and forgot to erase their footprints, but those days are gone and attacks have become more revolutionized as attackers tries to keep everything in the volatile memory (RAM) thereby reducing chances of being traced.”

2. WHY YOU NEED TO PERFORM MEMORY FORENSICS by Matt Mercer

„Memory forensics has risen from obscure to obligatory over the last 20 or so years. If you aren’t capturing (and analyzing) memory, then you are leaving crucial evidence behind. This article will provide an overview of memory forensics, and a walk-through of some basic techniques and tools. The principal focus will be a Windows environment and open-source or free tools to investigate user activity. So, put away your write-blockers and get ready!”

3. STEP BY STEP MEMORY FORENSICS by Boonlia Prince Komal

“In this article I have attempted to take you right from the dumping of memory to the complete analysis of it. I have attempted to include whatever I, as a forensics investigator will do. I have focused only on Windows here.
At places it has not been possible to include each and every thing. At such places I have taken few things in detail, few things in brief and left others to be explored by the reader himself.”

4. STEP BY STEP TO WORK WITH YOUR OWN MEMORY DUMPS by Javier Nieto Arevalo

„Currently the majority of us live an “Online Live” where everyday new risks appear. In our personal live or in our business live (sometimes they are joined) we hear a lot of news about security problems. Some days we can experiment these troubles in our computers or in our business networks. If your computer is alive and it is connected to the Internet, you are in risk of been attacked… You can bet you will be infected some day… Every week in the news you can check that huge companies like Google, Juniper, Adobe, and RSAeNvision… have been hacked because an advanced persistent threat (APT) was installed in their systems and their information was stolen. At this moment it’s essential to have a great team able to make a good forensics analysis in order to detect the modern malware, evaluate the damage, check out what data was thieved and learn about it in order to avoid the same problem or another similar in the future.”

5. MEMORY FORENSICS, ANALYSIS AND TECHNIQUES by Rafael Souza

“With the evolution of technological resources and the popularity of the Internet, it has become impractical to maintain only the traditional approach, due to the large volume of information to be analyzed and the growth of digital attacks. In this context, the analysis of data stored in volatile memory comes up with new techniques, it is necessary to check the processes that were running, established connections, or even access keys encrypted volumes, without causing the loss of sensitive information to the investigation, thus allowing the recovery of important data to the computer forensics.”

6. EXTRACTING FORENSIC ARTIFACTS USING MEMORY FORENSICS by Monnappa K A

“Memory Forensics is the analysis of the memory image taken from the running computer. In this article, we will learn how to use Memory Forensic Toolkits such as Volatility to analyze the memory artifacts with practical real life forensics scenarios. Memory forensics plays an important role in investigations and incident response. It can help in extracting forensics artifacts from a computer’s memory like running process, network connections, loaded modules etc. It can also help in unpacking, rootkit detection and reverse engineering.”

7. MEMORY FORENSICS: INTEGRATING DIGITAL FORENSICS WITH ARCHIVAL SCIENCE FOR TRUSTING RECORDS AND DATA by Luciana Duranti and Corinne Rogers

“This paper introduces areas of convergence between digital forensics and archival preservation activities in order to understand moments in which digital records as understood by archival science, and digital evidence as understood by digital forensics, may be identified, their authenticity assessed, their reliability and integrity managed and preserved. The paper shows how digital forensics can enhance archival science and practice, and how the integration of archival theory of records and archives can further develop digital forensics as a discipline and help it in accomplishing its purposes. “

8. MEMORY FORENSICS VS PULLING THE PLUG by Kyriakos Loizou

“From right in the beginning of Computer Forensic a set of rules, methods and protocols where established and embedded deep in to the law enforcement community. Traditionally a forensic examiner would enter the crime scene and with compliance to a court warrant he would seize a live computer systems in order to deliver it back to the laboratory for an in depth analysis. This methodology know as “pulling the plug” with in the forensic community, was highly accepted and thought to be forensically sound and applicable in court.
This protocol was established in the attempt to preserve data found on the hard disk drive(HDD) from being overwritten, modified or deleted. It has been proven by experts in the field of forensic, that even if the live system is left idling or a normal should down is attempted it is highly likely that alteration to the data on the HDD will occur.”

9. WINDOWS MEMORY FORENSICS & MEMORY ACQUISITION by Dr Craig S. Wright, GSE, GSM, LLM, MStat

“This article takes the reader through the process of imaging memory on a live Windows host. This is part one of a six part series and will introduce the reader to the topic before we go into the details of memory forensics. The first step in doing any memory forensics on a Windows host involves acquisition. If we do not have a sample of the memory image from a system we cannot analyze it. This sounds simple, but memory forensics is not like imaging an unmounted hard drive. Memory is powered and dynamic, and changes as we attempt to image it. This means it is not a repeatable process. Not that there is a requirement at all times for the results of a forensic process to provide the same output; in this it is not necessary to be able to repeat a process and obtain exactly the same results. It does not mean we cannot use a variable process in a forensic investigation. What it does mean is we have a set of steps that will allow us to image memory but that every time we do those the results will change. “