The Lockbit 3 Black Forensics Analysis (Part III)

October 24, 2023

Memory Forensics Modern Approach

“That what you fear the most

Could meet you halfway” 

(Crazy Mary, Victoria Williams)

Paulo Pereira, PhD

Memory Forensics Historical Turning Point

Memory Forensics is one of the greatest developments in the history of digital forensic analysis. In fact, it's a turning point in forensic investigation methodology. The turning point came with developing of tools for memory capture (for different operating systems) and tools that extract data from the memory image, such as Volatility and Rekall (officially discontinued).

Memory Forensics Acquisition

Acquiring a memory dump from an infected operating system is essential for forensic analysis. However, this acquisition can be laborious if the analyst is using open-source tools (there are paid tools that can capture the memories of multiple hosts simultaneously at a time befitting the size of the RAM). But in the case where the tool is open source and hosts have, for example, 128 GB of RAM, this procedure is time-consuming. In a scenario with, for example, 20 hosts with 16GB of RAM, it would take a considerable amount of time. 

The acquisition at the time of the incident (full image or mini dump)

In this sense, what should we collect when we come up with an incident, for example, a ransomware? Do a full dump and generate a memory image file, for example, my_infected_host.mem, or choose to capture process dump (mini dumps)? 

Another option to generate memory dumps as supported by Comae memory analysis platform is to leverage process minidumps....


Paulo Pereira
Paulo Pereira is an independent malware analyst, Cyber Security Professional, EXIN Instructor.
Notify of

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023