Memory Forensics Basic
What is Memory Forensics?
In a computer, data are stored in either its main memory unit or its auxiliary memory unit. RAM (Random Access Memory) is the main memory unit which retrieves the programs or data from the auxiliary memory unit and temporarily stores the information until the power is turned off. It is also called the physical memory. There are three reasons why gathering and analyzing the data contained in this physical memory is important during the step involving digital information collection. First, the physical memory contains data related to the real-time system operating environment, such as the currently-mounted file system and the list of processes being operated. Second, even the encrypted data are generally decrypted into plain statements when they are stored in the physical memory. Third, it conforms to the characteristics of embedded systems. Since an embedded system is rarely turned off, the data contained in the physical memory are not often volatized. Therefore, significant information can be obtained if analysis thereof is performed effectively.
Memory forensics is forensic analysis of a computer's memory dump. Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive. Consequently, the memory (RAM) must be analyzed for forensic information.
- Alternative names
Memory dump, Memory analysis, Physical memory analysis, RAM forensics , etc.
What information can we get from memory?
- Image Identification
- Processes and DLLs
- Process Memory
- Kernel Memory and Objects
- Malware and Rootkits
Memory Dump tools
- LiME (Linux)
LiME (Linux Memory Extractor) is a Linux kernel module (LKM) released by ShmooCon, which performs memory dumps for the Linux system. It is the first tool that can perform entire memory dumps from Linux-based devices and from Android. LiME is a powerful device that can perform memory dumps by loading modules immediately after compiling without any other operations, such as a change in kernel settings. Particularly in the case of Android, we can dump a file directly into external memory after inputting a pre-compiled module file into the external memory and loading the module through the command line
Link : https://code.google.com/p/lime-forensics/
- Dump using dd (Linux)
dd is a basic command supplied in Linux that has functions such as copying files of various sizes and changing the format of specific files. In Linux, all the devices are managed through files; consequently, it is possible to copy physical memory data from the /dev/mem file that manages memory through the dd command. However, in Linux distribution, because the access rights to /dev/mem are basically limited in the kernel, it is possible to perform memory dumps from /dev/mem file by releasing the access rights when compiling the kernel.
- Dumpit (Windows)
This utility is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines. The raw memory dump is generated in the current directory, only a confirmation question is prompted before starting. Perfect to deploy the executable on USB keys, for quick incident responses needs.
Link : http://www.moonsols.com/windows-memory-toolkit/
Download link :
Download MoonSols DumpIt
There are many other tools for Windd, MDD, and so on.
Memory Analysis tools
- Volatility Framework (Linux, Windows)
Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs including XP, 2003 Server, Vista, Server 2008, Server 2008 R2, Seven, 8, 8.1, Server 2012, and 2012 R2. Whether your memory dump is in raw format, a Microsoft crash dump, hibernation file, or virtual machine snapshot, Volatility is able to work with it. We also now support Linux memory dumps in raw or LiME format and include 35+ plugins for analyzing 32- and 64-bit Linux kernels from 2.6.11 - 3.16 and distributions such as Debian, Ubuntu, OpenSuSE, Fedora, CentOS, and Mandrake. We support 38 versions of Mac OSX memory dumps from 10.5 to 10.9.4 Mavericks, both 32- and 64-bit. Android phones with ARM processors are also supported.
Link : https://github.com/volatilityfoundation
- Rekall Memory Forensic Framework
The Rekall Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
Rekall supports investigations of the following x86 bit memory images:
Microsoft Windows XP Service Pack 2 and 3
Microsoft Windows 7 Service Pack 0 and 1
Microsoft Windows 8 and 8.1
Linux Kernels 2.6.24 to 3.10.
Link : http://www.rekall-forensic.com/