1.
1

2.
PLAN
INTRODUCTION
01
• Ram; Content of Ram.
RAM DUMP ACQUISITION
02
• Acquisition and Verification.
ANALYSIS
03
• General methods ; Advanced method. 2

3.
All the tools and techniques used in this demo
should not be performed on systems without
clearance or authorization. It will be important to
even get a lawyer before engaging is such activity.
DISCLAIMER
3

4.
The goal of the session is to be able to
comfortably acquire the Ram from a
suspect’s system and conduct forensics
analysis to gather evidence that will later
be used in court.
ACQUIRE RAM DUMP
ANALYSIS
INTRODUCTION
01
4

5.
RAM
- Fast, temporary, storage
- It has No file system (The memory
management unit Found in OS keep
track of where data is found in RAM)
- It is the Working area of the computer.
- Computer, phones, IoT devices, etc. all
have RAM.
5
RAM PRIMER

6.
ARTIFACTS ON RAM
Executed programs
and files Decrypted content
Passwords, usernames,
emails, chats, opened
webpages, Network
traffic, etc
Location of
opened files on
disk
6

7.
1. You can only acquire or access RAM when a
computer is on.
2. All user Activities on the device touch RAM
in some way.
3. Most first Responders do not collect RAM
yet.
NOTE
7

8.
LIVE DATA FORENSICS
8
▪ It’s worth noticing that data is still
changing.
▪ Understanding data that will be modified
in the process is important.
▪ Ensure that no data relied upon in court is
modified

9.
ACQUISITION
RAM DUMP ACQUISITION
02
VERIFICATION
- Live acquisition to storage when the
target system is on
- Hibernating the target system (write
to disk)
- Reboot into RAM acquisition OS
- VM → can dump RAM directly to a
file - RAM is normally collected while a
system is live
- Create a reference hash of the
dump after acquisition.
9
1
2

10.
ANALYSIS
03
General Analysis.
• Rely of specific structures in Ram to
process and extract information
• Tend to look for more general data
structures existing in RAW dataset
• Easier and faster for some task.
• Used for low-level data analysis
10

11.
▪ HEXING A DUMP
▪ WORKING WITH POWERSHELL(STRINGS AND SELECT-STRING)
▪ FILE CARVING WITH PHOTO REC
▪ ALMIGHTY BULK-EXTRACTOR.
11
GENERAL ANALYSIS METHODS

12.
ANALYSIS
03
Advanced Analysis.
• Advanced analysis relies on data structures in
memory that are specific to how the
operating system memory manager
functions.
• Advanced analysis methods parse
complicated operating system data structures
to recover much more information about the
system's state.
12

13.
ADVANCED ANALYSIS METHODS
✓ Process analysis and dumping of files from RAM
✓ Command execution and network connection
analysis.
✓ Dumping windows hashes
✓ Windows registry: USERASSIT and hive extraction.
VOLATILITY3
MemProcFS demo 13

14.
Acquisition
All actions on a live system will modify memory and probably disk
Test acquisition tools and document what changes they normally make.
How much memory does the tool use?
Hex Editor
Good for low-level analysis and fast string and hex searches.
Common file headers ՞ JPG:0xFFD8FFE, DOCX:0x0 ֣
504B030414, PDF:0x0 ֣
25504446
Bookmark: https://www.garykessler.net/library/file_sigs.htmls
CLI Search
Windows: strings (from Sysinternals), Select-String ՄPowershell)
Linux: strings, grep
| (pipe) sends one command output to another command input
> (redirect) sends a command output to a file
Windows: strings [memimage] | Select-String ‘[keyword]’
Linux: strings [memimage] | grep ‘[keyword]’
Create password list from RAMր strings [memimage] > passlist.txt
Photorec
Recovers more than just images! Video, executables, databases, etc.
Carving for text “.txt” files will result in a lot of trash.
RAM does not have a partition or file system!
photorec [memimage]
Cheat-sheet
14

15.
bulk_extractor
Good for large, batch processing of data sources.
Can often detect files and data that others cannot (stream processing).
Good at partial and corrupt file detection/parsing.
bulk_extractor -o [outdir] [memimage]
Volatility 3
Get image info: vol.py -f [memimage] windows.info
List processes: vol.py -f [memimage] windows.pslist
List file handles: vol.py -f [memimage] windows.handles --pid [pid] | Select-String ‘File’
Dump file: vol.py -f [memimage] -o [dumpfolder] windows.dumpfile --pid [pid] --virtaddr [vaddr]
Parse command line: vol.py -f [memimage] windows.cmdline.CmdLine
List network connections: vol.py -f [memimage] windows.netstat
Dump user password hashes: vol.py -f [memimage] windows.hashdump.Hashdump
Dump userassist to terminal: vol.py -f [memimage] windows.registry.userassist.UserAssist
List all Registry hives: vol.py -f [memimage] windows.registry.hivelist.HiveList
Dump by filter: vol.py -f [memimage] -o "[dumpfolder]" windows.registry.hivelist --filter
[keyword] --dump
Dump key & values: vol.py -f [memimage] windows.registry.printkey --key "[key]" --recurse
Cheat-sheet
15

16.
QUESTIONS ?
M E R C I !
T H A N K Y O U !
16