2. Outline
• Introduction
• What can be found in Memory
• Overview of the process
• Tools & Techniques
• Various Formats
• Memory Forensics in Context of Windows Device
• Memory Forensics in Context of Linux Device
• Hardware Approaches for Memory Forensics
• Little discussion on the deference between Windows and Linux Forensics
2
3. Introduction
Digital analysis can be broadly studied under two headings
a) Static or Dead analysis where, the target devices that are to be analyzed are
shut down and
b) Live analysis where, the system stays in the boot mode and is kept alive.
The live analysis has become a need with the increase of cyber crime because
individuals have started deleting the contents as soon as possible without
saving the contents on the hard drive. Hence in order to retrieve more valuable
information the forensic analyst needs to examine the volatile memory.
3
4. Introduction
What is Memory Forensics?
4
The science of examining the
volatile or live memory is referred
to as Memory Forensics.
5. What can be found in Memory?
What can be found in the Main Memory?
a) Running Processes.
b) Running Threads.
c) Password/Keys other related information.
d) Live registry hives (in case of windows only).
e) Malware presence
f) Malicious/ Suspicious activities
g) Open Connections to the network
In fact anything that processor works upon…
5
6. Overview of the process
Memory Forensics can be studied broadly under three categories:
a) Acquisition of memory
b) Analyzing the acquired data
c) Recovering the evidence
6
Acquisition Analyze Evidences
7. Tools & Techniques
Tools used for the acquisition of the Memory
a) For Windows Platform
• Belkasoft Live RAM Capturer
• FTK Imager
• OSForensics
• MadiantMemoryz
• DumpIt etc.
b) For Linux Platform
• LiME (Linux Memory Extractor)
• Second Look
• Fmem etc.
7
8. Tools & Techniques
Tools used for Analyzing the acquired data
a) For Windows Platform
• Belkasoft Evidence Center
• wxHexEditor
• Autopsy
• Volatility *
b) For Linux Platform
• Volatility *
• The Sleuth Kit (TSK) etc.
8
9. Various Formats
Tools used for the acquisition of the Memory
a) Raw Dump (.img/.dd)
b) Windows Crash dump format (.bin)
c) Memory dump (.mem)
d) Commercial Tools Formats
• Encase (.E01)
• VMware (.Vmem)
• FastDump Pro (hpak)
9