Are there any issues with using RAM as a source of evidence in an investigation?
Show
DFRWS 2020 EU – Proceedings of the Seventh Annual DFRWS EuropeTampering with Digital Evidence is Hard: The Case of Main Memory Images
Under a Creative Commons license Open access AbstractTampered digital evidence may jeopardize its correct interpretation. To assess the risks in a court of law, it is helpful to quantify the necessary effort to perform a convincing manipulation of digital evidence. Based on a sequence of controlled experiments with graduate students and digital forensics professionals, we study the effort to manipulate copies of main memory taken during a digital investigation. Confirming previous results on hard disc image tampering, manipulating main memory dumps can be considered hard in the sense that most forgeries were successfully detected. However, while the effort to detect a manipulation is generally bounded by the tampering effort, some forgeries fooled the analysts and caused analysis effort that was higher than the manipulation effort. The detection effort by graduate students, however, was generally higher than that of professionals. We study different manipulation and detection approaches and their success. Overall, tampering with main memory dumps appears to be harder than tampering with hard disc images but the probability to fool an analyst is higher too. Cited by (0)© 2020 The Authors. Published by Elsevier Ltd. What is Memory Forensics?Memory forensics is a vital form of cyber investigation that allows an investigator to identify unauthorized and anomalous activity on a target computer or server. This is usually achieved by running special software that captures the current state of the system’s memory as a snapshot file, also known as a memory dump. This file can then be taken offsite and searched by the investigator. This is useful because of the way in which processes, files and programs are run in memory, and once a snapshot has been captured, many important facts can be ascertained by the investigator, such as:
Already we can see how much this information can help an investigator as they seek out system anomalies, and by being able to capture the volatile information inside the system’s memory, they are able to create a permanent record of the system’s state as it was. This means that suspicious programs such as computer viruses and malware can be tracked down in a lab environment and traced back to the source if possible. This is vital in instances where malware leaves no trace of its activity on a target system’s hard drive, making memory forensics especially important as a means to identify such activity. We offer an excellent introduction to computer forensics with our computer forensics boot camp course, and we highly recommend it as your starting point for pursuing your CCFE certification. More information can be found here https://www.infosecinstitute.com/courses/computer-forensics-boot-camp. How is Memory Forensics Different from Hard Drive Forensics?Memory forensics can be thought of as a current snapshot of a system that gives investigators a near real time image of the system while in use. Hard drive forensics is normally focused on data recovery and decryption, usually made from an image of the drive in question. One can think of memory forensics as a live response to a current threat, while hard drive forensics can be seen as more of a post mortem of events that have already transpired. Memory forensics is time sensitive, as the information that is required is stored in volatile system memory, and if the system is restarted or powered off, then that information is flushed from system memory. Hard drives, on the other hand, are a non-volatile form of computer storage. There are some volatile elements to hard drives, such as cache and buffer stores, so this also needs to be taken into account by the forensic investigator. Depending on the nature of the investigation, either technique can be used to gain further information about the system in question. Likewise, both methods can be used on the same system if necessary, and investigators will have to use their discretion and select the appropriate action where necessary. Memory Forensics: Acquisition MethodsThe angle of investigation that you take during this acquisition phase will depend mostly on the scenario that you are presented with and the requirements of the case. This depends largely on the operating system that your host is running, or what the perceived issue is that needs to be investigated at the time of the incident. How you go about capturing the image also depends on what you are trying to establish through your investigative process, and what it is that you are trying to prove or disprove. Generally your investigation will focus on the activities of the user on the system, or evidence that proves that the system in question has been compromised. Sometimes even encryption keys and passwords can be uncovered if they are part of the evidentiary requirements of your case. There must be a clear understanding of what needs to be established on the target system, and how it can help to advance your investigation. Forensic investigators are highly skilled and can identify activity on a system that should not be present, allowing them to prove that a system has been compromised. It allows them to identify rootkits and malware, to find unusual processes, and reveal covert communication, which can shed light on what is happening currently in a target system. Here are some examples of acquisition formats that are used in memory forensics. There are many different memory acquisition types, but these are five of the most common methods and formats that are used today:
Once you have acquired your data, you can begin the process of examining the system, and any suspicious activities will then be uncovered as you proceed. Data carving is a commonly used approach, and depending on the desired outcomes of your particular case, there are many other approaches that can be looked at as well. Below is a list of some commonly used tools in the field that allow for these different approaches to be utilized. The Best Memory Forensic Tools on the MarketThere are both free and commercial products available on the market, and many forensics investigators will have their own personal preferences. Some investigators may find that they need to use commercial products only, however many professionals will use a wide array of both free and paid tools to get the job done. Here are some examples:
Once you have captured the data that you need, you can start to examine it, while trying to find meaningful information on the target PC that you are interrogating. Memory Forensics: Examining Your Captured DataThere are many avenues for an investigator to take when it comes to analyzing a target system, so many in fact that there are entire book series’ that are dedicated to the subject. We will instead take a look at some common approaches that can be used by an investigator when trying to glean more information via memory forensics.
Once the findings have been made, the investigator can work with his or her team to establish if there are any other sources of information that need to be looked at further, and if any additional techniques need to be applied to the target machine or data set. ConclusionMemory forensics is a crucial skill for first responders and investigators alike, as it allows for the quick and complete capturing of live system data for later scrutiny. And while this is a very important skill to learn, it is just one of the tools that you will be taught when enrolling in one of the many forensic training courses that are offered in the CCFE. The skills learned in the CCFE are critical for anybody seeking to certify their knowledge, or to learn from scratch as a student in the field of computer forensics. There are so many reasons to take this course, and thanks to our boot camp, getting started has never been easier. For those that are interested in reading further on the topic of Memory Forensics, please take a look at some of our articles below. /memory-forensics-power-introduction/ /memory-forensics/ /memory-forensics-and-analysis-using-volatility/ What evidence can you find in RAM?Evidence that can be found in RAM includes processes and programs running on the system, network connections, evidence of malware intrusion, registry hives, usernames and passwords, decrypted files and keys, and evidence of activity not typically stored on the local hard disk.
Why is RAM important forensics?RAM analysis is an important part of computer forensics as it helps the investigators in finding out what all happened on the machine right before the crime was committed. As all the running processes in the system pass through the RAM, it is important to retrieve it before the computer is turned off.
Why capturing live memory can be very beneficial to a digital forensics investigator?By capturing the memory of a compromised device you can quickly perform some analysis to identify potential malware and gather IOC's which can then be used to identify other compromised devices.
What are the problems of computer forensics evidence?The two challenges faced in a digital forensic investigation are complexity and quantity. The complexity problem refers to the data collected being at the lowest level or in raw format. Non-technical people will find it difficult to understand such data.
|