|eForensics Magazine 2020 08 Different Approaches to Memory Forensics PREVIEW UPDATED.pdf|
This month we would like to show you different approaches in analysing volatile data in a computer's memory dump.
This edition contains papers that will show you how to perform a memory dump using various tools and analyse the dump using volatility. All have taken different approaches and are quite unique. If you are interested in the topic of memory forensics, don’t hesitate to get this publication. It opens up with Joseph Moronwi’s write-up “Analysing Volatile Evidence in WindowsOS: A command line approach”. Then we go with “Belkasoft RAM Capture & Volatility Memory Forensics”. In this article, we will learn how the evidence is extracted from the identified volatile memory sources such as RAM (Random Access Memory). Maciej Makowski will show you a set of volatile memory capture tools and focus on RAM acquisition for Windows operating systems. Divya Lakshmanan prepared for you “One of the Many Approaches to Memory Forensics on Windows”, discussing how memory can be captured from a Windows 10 system using Dumpit.exe and how the acquired memory image can be analysed using Volatility. And that’s not all related to this topic.
But moving away from the subject of memory forensics...there are papers on drones, OSINT, WhatsApp, and LLMNR and NBT-NS poisoning attack.
Thanks to all authors, reviewers, and proofreaders for participating in this project.
Have a nice read!
and the eForensics Magazine Editorial Team
TABLE OF CONTENTS
Analysing Volatile Evidence in WindowsOS: A command line approach
by Joseph Moronwi
Data is considered volatile if it will be lost when a device is turned off or rebooted. Please note that such data will also get overwritten during normal computing device use (e.g., when closing a specific application on a PC, the reserved data space will disappear from RAM memory, allowing other applications to use its space for operation).
Belkasoft RAM Capture & Volatility Memory Forensics
by Sudharshan Kumar
Forensic analysis is essentially the process of gathering evidence, indicators, clues and other parameters from a crime scene (physical, digital, organized or unorganized crime) that helps in the attribution of the person or entity that has been insidiously involved in the crime. As a matter of fact, forensics is always the reactive approach that helps determine the cause and threat actors behind an attack. In digital forensics, the major sources of evidence are the digital resources such as magnetic tapes, hard drives, RAM memory in a computer, server, smartphone, memory sticks, etc. Any forensic analysis fundamentally involves four steps – Identification, Collection, Preservation & Further Analysis.
In this article, we will learn how the evidence is extracted from the identified volatile memory sources such as RAM (Random Access Memory).
Volatile Memory Capture Tools - An Overview
By Maciej Makowski
This article will focus on RAM acquisition for Windows operating systems.
One of the Many Approaches to Memory Forensics on Windows
by Divya Lakshmanan
This article will discuss how memory can be captured from a Windows 10 system using Dumpit.exe and how the acquired memory image can be analysed using Volatility.
Memory Analysis Lab
by Phalgun Kulkarni
Memory analysis for volatile memory such as RAM can reveal a wealth of information regarding the applications run, any malware present or malicious application that may be running, to which process it has been attached, information regarding the processor and the network connections, as well as who connected with the host and for what purpose.
As such memory is volatile, it can be overwritten, even remotely, and can be lost after any power loss.
Introduction to memory forensics using Autopsy
By Anudeep Nayakoti
Technology advanced with extreme progressive jumps and similarly advancement in cybercrime technology increased as well. It has become increasingly difficult for experts to mitigate cybercrime. There are numerous ways and tools to investigate these crimes. This article primarily focuses on memory forensics. This paper also explores Autopsy, an open-source tool to analyze a local drive.
Drone forensic analysis: Correlating a drone to a mobile device
by Carlos Manzo Trujillo
Drones or UAVs (Unmanned aerial vehicles) are among the major growing technologies that have many beneficial applications, yet they can also pose a significant threat. Several incidents occurred with drones violating the privacy of the public and the security of sensitive facilities, including several nuclear power plants in France . The threat of drones to the security of nuclear facilities is of great importance not only for governments but in general to all of us. We analyse the forensically sound open source tool DRone Open source Parser (DROP) that parses proprietary DAT files extracted from the drone's nonvolatile internal storage. These DAT files are encrypted and encoded. The work also shares preliminary findings on TXT files, which are also proprietary, encrypted, encoded, files found on the mobile device controlling the drone. These files provided a slew of data such as GPS locations, battery, flight time, etc. By extracting data from the controlling mobile device, and the drone, we were able to correlate data and link the user to a specific device based on extracted metadata. Furthermore, results showed that the best mechanism to forensically acquire data from the tested drone is to manually extract the SD card by disassembling the drone.
Beginner’s Guide to People Search
By Lohitya Pushkar
Open Source Intelligence is a process of gathering intelligence on anything and anyone via the information available for free in the public domain. A pool of various methods and techniques used to gather data are now available and people are creating and sharing new tools and techniques for the same. In this article, I will talk about people search, which is just one part of many parts of OSINT.
LLMNR and NBT-NS poisoning attack
by Matheus Fernandes and Filipi Pires
Do you know how it’s possible for an attacker to capture usernames and passwords on a local network by simply waiting for the computers to willingly give them up? Have you heard of LLMNR and NBT-NS poisoning? This is one of the most common attacks, it is usually one of the first attack vectors used to obtain credentials since internal security has already been compromised. In the next topics, we will cover the attack in more detail, providing real evidence produced in our laboratory as well as methods for protecting it.
Introduction to Whatsapp Forensic Analysis on Android
by Daniele Giomo
WhatsApp is one of the most used instant messaging applications, both in Android and iOS systems. To carry out a forensic analysis on this application, it is necessary to first carry out a physical dump of the entire file system of the device (therefore, a logical or physical acquisition of the smartphone being analyzed).