आज का आहार
Memory Forensics

Varun Nair
@w3bgiant
#whoami
O Security enthusiast.
O For food and shelter, I work with ZEE TV
O For living, I learn 4N6, Malwares and Reverse
...
If you listen!!!!!
O Forensics Fundamentals
O Action Plan
O Order of Volatility
O Methodologies
O Dead Forensics

O Live F...
ELSE!!!!
Forensics Fundamentals
O Digital forensics (sometimes known as digital forensic

science) is a branch of forensic science ...
Action Plan- First Response
Arrive on
Crime scene

Machine state = OFF

DEAD
FORENSICS

Machine state = ON

LIVE
FORENSICS
Order of Volatility
MOST
…..
LEAST

• CPU, cache and register content
• Routing table, ARP cache, process table,
kernel st...
Forensics Methodologies
O “LIVE” Forensics

O “DEAD” Forensics
DEAD FORENSICS
O The dead analysis is more common to acquire data.
O A dead acquisition copies the data without the

assis...
DEAD FORENSICS
O During data acquisition an exact (typically bitwise)

copy of storage media is created.
O Least chance of...
LIVE FORENSICS
O Focuses on extracting and examination of the

volatile forensic data that would be lost on power
off
O A ...
LIVE FORENSICS
O Often used in incident handling to determine if an

event has occurred
O May or may not proceed a full tr...
LIVE FORENSICS

THE IMAGE WILL HAVE
NO
AUTHENTICITY
No two images can have the “same hash value”
Forensic Response Principles
– Maintain forensic integrity
– Require minimal user interaction
– Gather all pertinent infor...
Methodology
ACQUIRE

CONTEXT

ANALYSE

•Capture
RAM
Memory

•Find
Memory
Offsets
and
establish
contexts

•Analyse
data and...
In MEMORY data??
O Current running processes and terminated

processes.
O Open TCP/UDP ports/raw sockets/active
connection...
DEMO
O Collecting Memory dumps:

DUMPIT by MOONSOLS

O Analysing Memory dumps:

WinHex and Volatility Framework 2.3
और कोई सवाल
Upcoming SlideShare
Loading in …5
×

Memory Forensics

35,657 views

Published on

null Mumbai Chapter Meet - December 2013

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
35,657
On SlideShare
0
From Embeds
0
Number of Embeds
320
Actions
Shares
0
Downloads
60
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Memory Forensics

  1. 1. आज का आहार Memory Forensics Varun Nair @w3bgiant
  2. 2. #whoami O Security enthusiast. O For food and shelter, I work with ZEE TV O For living, I learn 4N6, Malwares and Reverse Engineering O Recent developments: O Chapter lead at Null, Mumbai chapter.
  3. 3. If you listen!!!!! O Forensics Fundamentals O Action Plan O Order of Volatility O Methodologies O Dead Forensics O Live Forensics O Demo
  4. 4. ELSE!!!!
  5. 5. Forensics Fundamentals O Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. O "Gathering and analysing data in a manner as free from distortion or bias as possible to reconstruct data or what happened in the past on a system [or a network]“ -Dan Farmer / Wietse Venema
  6. 6. Action Plan- First Response Arrive on Crime scene Machine state = OFF DEAD FORENSICS Machine state = ON LIVE FORENSICS
  7. 7. Order of Volatility MOST ….. LEAST • CPU, cache and register content • Routing table, ARP cache, process table, kernel statistics • Memory • Temporary file system / swap space •Data on hard disk •Remotely logged data •Raw Disk Blocks
  8. 8. Forensics Methodologies O “LIVE” Forensics O “DEAD” Forensics
  9. 9. DEAD FORENSICS O The dead analysis is more common to acquire data. O A dead acquisition copies the data without the assistance of the suspect’s (operating) system. O Analysing a “dead” system that has had it’s power cord pulled.
  10. 10. DEAD FORENSICS O During data acquisition an exact (typically bitwise) copy of storage media is created. O Least chance of modifying data on disk, but “live” data is lost forever.
  11. 11. LIVE FORENSICS O Focuses on extracting and examination of the volatile forensic data that would be lost on power off O A live acquisition copies the data using the suspect’s (operating) system O Live forensics is not a “pure” forensic response as it will have minor impacts to the underlying machine’s operating state – The key is the impacts are known
  12. 12. LIVE FORENSICS O Often used in incident handling to determine if an event has occurred O May or may not proceed a full traditional forensic analysis O If you work on a suspect’s system you should boot/use trusted tools (e.g. CD, USB stick):
  13. 13. LIVE FORENSICS THE IMAGE WILL HAVE NO AUTHENTICITY No two images can have the “same hash value”
  14. 14. Forensic Response Principles – Maintain forensic integrity – Require minimal user interaction – Gather all pertinent information to determine if an incident occurred for later analysis - Enforce sound data and evidence collection
  15. 15. Methodology ACQUIRE CONTEXT ANALYSE •Capture RAM Memory •Find Memory Offsets and establish contexts •Analyse data and recover evidence
  16. 16. In MEMORY data?? O Current running processes and terminated processes. O Open TCP/UDP ports/raw sockets/active connections. O Caches O -Web addresses, typed commands, passwords, clipboards, SAM databases, edited files. O Memory mapped files O -Executable, shared, objects(modules/drivers), text files.
  17. 17. DEMO O Collecting Memory dumps: DUMPIT by MOONSOLS O Analysing Memory dumps: WinHex and Volatility Framework 2.3
  18. 18. और कोई सवाल

×