The Lockbit 3 Black Forensics Analysis: Memory Forensics Modern Approach (Part III)

Paulo Pereira, PhD
Mar 14, 2023

“That what you fear the most

Could meet you halfway” 

(Crazy Mary, Victoria Williams)

 

Memory Forensics Historical Turning Point

Memory Forensics is one of the greatest developments in the history of digital forensic analysis. In fact, it's a turning point in forensic investigation methodology. The turning point came with development of tools for memory capture (for different operating systems) and tools that extract data from the memory image, such as Volatility and Rekall (officially discontinued).

Memory Forensics Acquisition

Acquiring a memory dump from an infected operating system is essential for forensic analysis. However, this acquisition can be laborious if the analyst is using open-source tools (there are paid tools that can capture the memories of multiple hosts simultaneously at a time befitting the size of the RAM). But in the case where the tool is open source and hosts have, for example, 128 GB of RAM, this procedure is time-consuming. In a scenario with, for example, 20 hosts with 16GB of RAM, it would be a considerable amount of time. 

The acquisition at the time of the incident (full image or mini dump)

In this sense, what should we collect when we come up with an incident, for example, ransomware? Do a full dump and generate a memory image file, for example, my_infected_host.mem, or choose to capture process dump (mini dumps)? 

....

Author

Paulo Pereira
Paulo Pereira is an independent malware analyst, Cyber Security Professional, EXIN Instructor.
Subscribe
Notify of
guest

0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023