“That what you fear the most
Could meet you halfway”
(Crazy Mary, Victoria Williams)
Memory Forensics Historical Turning Point
Memory Forensics is one of the greatest developments in the history of digital forensic analysis. In fact, it's a turning point in forensic investigation methodology. The turning point came with development of tools for memory capture (for different operating systems) and tools that extract data from the memory image, such as Volatility and Rekall (officially discontinued).
Memory Forensics Acquisition
Acquiring a memory dump from an infected operating system is essential for forensic analysis. However, this acquisition can be laborious if the analyst is using open-source tools (there are paid tools that can capture the memories of multiple hosts simultaneously at a time befitting the size of the RAM). But in the case where the tool is open source and hosts have, for example, 128 GB of RAM, this procedure is time-consuming. In a scenario with, for example, 20 hosts with 16GB of RAM, it would be a considerable amount of time.
The acquisition at the time of the incident (full image or mini dump)
In this sense, what should we collect when we come up with an incident, for example, ransomware? Do a full dump and generate a memory image file, for example, my_infected_host.mem, or choose to capture process dump (mini dumps)?
....Author
- Paulo Pereira is an independent malware analyst, Cyber Security Professional, EXIN Instructor.
Latest Articles
- OfficialJune 6, 2024Dark Web File Sharing: Basic Forensics Using CSI Linux
- OfficialOctober 24, 2023The LockBit 3 Black Forensics Analysis Part II
- OfficialOctober 24, 2023The Lockbit 3 Black Forensics Analysis (Part III)
- OfficialOctober 17, 2023Reflections on Artificial Intelligence and Digital Forensics