Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Memory Forensics


Published on

null Mumbai Chapter Meet - December 2013

Published in: Education, Technology
  • Be the first to comment

Memory Forensics

  1. 1. आज का आहार Memory Forensics Varun Nair @w3bgiant
  2. 2. #whoami O Security enthusiast. O For food and shelter, I work with ZEE TV O For living, I learn 4N6, Malwares and Reverse Engineering O Recent developments: O Chapter lead at Null, Mumbai chapter.
  3. 3. If you listen!!!!! O Forensics Fundamentals O Action Plan O Order of Volatility O Methodologies O Dead Forensics O Live Forensics O Demo
  4. 4. ELSE!!!!
  5. 5. Forensics Fundamentals O Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. O "Gathering and analysing data in a manner as free from distortion or bias as possible to reconstruct data or what happened in the past on a system [or a network]“ -Dan Farmer / Wietse Venema
  6. 6. Action Plan- First Response Arrive on Crime scene Machine state = OFF DEAD FORENSICS Machine state = ON LIVE FORENSICS
  7. 7. Order of Volatility MOST ….. LEAST • CPU, cache and register content • Routing table, ARP cache, process table, kernel statistics • Memory • Temporary file system / swap space •Data on hard disk •Remotely logged data •Raw Disk Blocks
  8. 8. Forensics Methodologies O “LIVE” Forensics O “DEAD” Forensics
  9. 9. DEAD FORENSICS O The dead analysis is more common to acquire data. O A dead acquisition copies the data without the assistance of the suspect’s (operating) system. O Analysing a “dead” system that has had it’s power cord pulled.
  10. 10. DEAD FORENSICS O During data acquisition an exact (typically bitwise) copy of storage media is created. O Least chance of modifying data on disk, but “live” data is lost forever.
  11. 11. LIVE FORENSICS O Focuses on extracting and examination of the volatile forensic data that would be lost on power off O A live acquisition copies the data using the suspect’s (operating) system O Live forensics is not a “pure” forensic response as it will have minor impacts to the underlying machine’s operating state – The key is the impacts are known
  12. 12. LIVE FORENSICS O Often used in incident handling to determine if an event has occurred O May or may not proceed a full traditional forensic analysis O If you work on a suspect’s system you should boot/use trusted tools (e.g. CD, USB stick):
  13. 13. LIVE FORENSICS THE IMAGE WILL HAVE NO AUTHENTICITY No two images can have the “same hash value”
  14. 14. Forensic Response Principles – Maintain forensic integrity – Require minimal user interaction – Gather all pertinent information to determine if an incident occurred for later analysis - Enforce sound data and evidence collection
  15. 15. Methodology ACQUIRE CONTEXT ANALYSE •Capture RAM Memory •Find Memory Offsets and establish contexts •Analyse data and recover evidence
  16. 16. In MEMORY data?? O Current running processes and terminated processes. O Open TCP/UDP ports/raw sockets/active connections. O Caches O -Web addresses, typed commands, passwords, clipboards, SAM databases, edited files. O Memory mapped files O -Executable, shared, objects(modules/drivers), text files.
  17. 17. DEMO O Collecting Memory dumps: DUMPIT by MOONSOLS O Analysing Memory dumps: WinHex and Volatility Framework 2.3
  18. 18. और कोई सवाल