Different Approaches to Memory Forensics

Dear Readers,

This month we would like to show you different approaches in analysing volatile data in a computer's memory dump.

This edition contains papers that will show you how to perform a memory dump using various tools and analyse the dump using volatility. All have taken different approaches and are quite unique. If you are interested in the topic of memory forensics, don’t hesitate to get this publication. It opens up with Joseph Moronwi’s write-up “Analysing Volatile Evidence in WindowsOS: A command line approach”. Then we go with “Belkasoft RAM Capture & Volatility Memory Forensics”. In this article, we will learn how the evidence is extracted from the identified volatile memory sources such as RAM (Random Access Memory). Maciej Makowski will show you a set of volatile memory capture tools and focus on RAM acquisition for Windows operating systems. Divya Lakshmanan prepared for you “One of the Many Approaches to Memory Forensics on Windows”, discussing how memory can be captured from a Windows 10 system using Dumpit.exe and how the acquired memory image can be analysed using Volatility. And that’s not all related to this topic.

But moving away from the subject of memory forensics...there are papers on drones, OSINT, WhatsApp, and LLMNR and NBT-NS poisoning attack.

Thanks to all authors, reviewers, and proofreaders for participating in this project.

Have a nice read!

Regards,

Dominika Zdrodowska

and the eForensics Magazine Editorial Team

---

Buy this issue

 Download free magazine preview

---

TABLE OF CONTENTS

---

Analysing Volatile Evidence in WindowsOS: A command line approach 

by Joseph Moronwi

Data is considered volatile if it will be lost when a device is turned off or rebooted. Please note that such data will also get overwritten during normal computing device use (e.g., when closing a specific application on a PC, the reserved data space will disappear from RAM memory, allowing other applications to use its space for operation).

Belkasoft RAM Capture & Volatility Memory Forensics

by Sudharshan Kumar

Forensic analysis is essentially the process of gathering evidence, indicators, clues and other parameters from a crime scene (physical, digital, organized or unorganized crime) that helps in the attribution of the person or entity that has been insidiously involved in the crime. As a matter of fact, forensics is always the reactive approach that helps determine the cause and threat actors behind an attack. In digital forensics, the major sources of evidence are the digital resources such as magnetic tapes, hard drives, RAM memory in a computer, server, smartphone, memory sticks, etc. Any forensic analysis fundamentally involves four steps – Identification, Collection, Preservation & Further Analysis.

In this article, we will learn how the evidence is extracted from the identified volatile memory sources such as RAM (Random Access Memory).

Volatile Memory Capture Tools - An Overview

By Maciej Makowski

This article will focus on RAM acquisition for Windows operating systems.

One of the Many Approaches to Memory Forensics on Windows

by Divya Lakshmanan

This article will discuss how memory can be captured from a Windows 10 system using Dumpit.exe and how the acquired memory image can be analysed using Volatility.

Memory Analysis Lab

by Phalgun Kulkarni 

Memory analysis for volatile memory such as RAM can reveal a wealth of information regarding the applications run, any malware present or malicious application that may be running, to which process it has been attached, information regarding the processor and the network connections, as well as who connected with the host and for what purpose.

As such memory is volatile, it can be overwritten, even remotely, and can be lost after any power loss.

Introduction to memory forensics using Autopsy

By Anudeep Nayakoti

Technology advanced with extreme progressive jumps and similarly advancement in cybercrime technology increased as well. It has become increasingly difficult for experts to mitigate cybercrime. There are numerous ways and tools to investigate these crimes. This article primarily focuses on memory forensics. This paper also explores Autopsy, an open-source tool to analyze a local drive.

Drone forensic analysis: Correlating a drone to a mobile device

by Carlos Manzo Trujillo

Drones or UAVs (Unmanned aerial vehicles) are among the major growing technologies that have many beneficial applications, yet they can also pose a significant threat. Several incidents occurred with drones violating the privacy of the public and the security of sensitive facilities, including several nuclear power plants in France [1]. The threat of drones to the security of nuclear facilities is of great importance not only for governments but in general to all of us. We analyse the forensically sound open source tool DRone Open source Parser (DROP)[2] that parses proprietary DAT files extracted from the drone's nonvolatile internal storage. These DAT files are encrypted and encoded. The work also shares preliminary findings on TXT files, which are also proprietary, encrypted, encoded, files found on the mobile device controlling the drone. These files provided a slew of data such as GPS locations, battery, flight time, etc. By extracting data from the controlling mobile device, and the drone, we were able to correlate data and link the user to a specific device based on extracted metadata. Furthermore, results showed that the best mechanism to forensically acquire data from the tested drone is to manually extract the SD card by disassembling the drone.

Beginner’s Guide to People Search

By Lohitya Pushkar

Open Source Intelligence is a process of gathering intelligence on anything and anyone via the information available for free in the public domain. A pool of various methods and techniques used to gather data are now available and people are creating and sharing new tools and techniques for the same. In this article, I will talk about people search, which is just one part of many parts of OSINT.

LLMNR and NBT-NS poisoning attack

by Matheus Fernandes and Filipi Pires

Do you know how it’s possible for an attacker to capture usernames and passwords on a local network by simply waiting for the computers to willingly give them up? Have you heard of LLMNR and NBT-NS poisoning? This is one of the most common attacks, it is usually one of the first attack vectors used to obtain credentials since internal security has already been compromised. In the next topics, we will cover the attack in more detail, providing real evidence produced in our laboratory as well as methods for protecting it.

Introduction to Whatsapp Forensic Analysis on Android

by Daniele Giomo

WhatsApp is one of the most used instant messaging applications, both in Android and iOS systems. To carry out a forensic analysis on this application, it is necessary to first carry out a physical dump of the entire file system of the device (therefore, a logical or physical acquisition of the smartphone being analyzed).