Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
Lecture 09 - Memory Forensics.pdf
L E C T U R E 9
B Y : D R . I B R A H I M B A G G I L I
Memory Forensic Analysis
P A R T 1
RAM overview
Volatility overview
http://www.bsatroop780.org/skills/images/ComputerMemory.gif
Understanding RAM
• Two main types of RAM
– Static
• Not refreshed
• Is still volatile
– Dynamic
• Modern computers
• Made up of a collection of cells
• Each cell contains a transistor and a capacitor
• Capacitors charge and discharge (1 and zeros)
• Periodically refreshed
RAM logical organization
• Programs run on computers
• Programs are made up of processes
– Processes are a set of resources used when executing an
instance of a program
– Processes do not generally access the physical memory directly
– Each process has a �virtual memory space�
• Allows operating system to stay in control of allocating memory
– Virtual memory space is made up of
• Pages (default size 4K)
• References (used to map virtual address to physical address)
• May also have a reference to data on the disk (Page file) – used to
free up RAM memory
RAM logical organization
! Each process is represented by an EPROCESS Block:
Normal memory
• Each process is represented by an _EPROCESS block.
• Contained within each _EPROCESS block is both a pointer to the next process
(fLink – Forward Link) and a pointer to the previous process (bLink – Back Link).
• When OS is operating, the _EPROCESS blocks and their pointers come
together to resemble a chain, which is known as a doubly-linked list.
• Chain is stored in kernel memory and is updated every time a process is
launched or terminated.
• Windows API walks this list from head to tail when enumerating processes via
Task Manager, for example.
Not so normal
• Hides processes from windows API
• Known as Direct Kernel Object Manipulation (DKOM)
• Involves manipulating the list of _EPROCESS blocks to �unlink� a
given process from the list
• By changing the forward link of process 1 to point to the third process,
and changing the �bLink� of process 3 to point to process 1, the
attacker�s process is no longer part of the list of _EPROCESS blocks.
• Since the Windows API uses this list to enumerate processes, the
malicious process will be hidden from the user but still able to operate
normally.
P A R T 2
Introduction to Memory
forensics
Before & Now
! Traditionally
! We have always been told to �pull the plug� on a live system
! This is done so that the reliability of the digital evidence is not
questioned
! Now
! People are considering live memory forensics
" Data relevant to the investigation may lie in memory
" Whole Disk Encryption….
Challenges in traditional method
• High volume of data (Aldestein, 2006)
– Increases the time in an investigation
– Increases storage capacity needed for forensic images
– Number of machines that could be included in th ...
Types of Computer Forensics Technology, Types of Military Computer Forensic Technology, Types of Law Enforcement, Computer Forensic Technology, Types of Business Computer Forensic Technology, Specialized Forensics Techniques, Hidden Data and How to Find It, Spyware and Adware, Encryption Methods and Vulnerabilities, Protecting Data from Being Compromised Internet Tracing Methods, Security and Wireless Technologies, Avoiding Pitfalls with Firewalls Biometric Security Systems
Automated Live Forensics Analysis for Volatile Data AcquisitionIJERA Editor
The increase in sophisticated attack on computers needs the assistance of Live forensics to uncover the evidence
since traditional forensics methods doesn’t collect volatile data. The volatile data can ease the difficulty towards
investigation in fact it can provide investigator with rich information towards solving a case. Here we are trying
to eliminate the complexity involved in normal process by automating the process of acquisition and analyzing
at the same time providing integrity towards evidence data through python scripting.
Fusing digital forensics, electronic discovery and incident responseDr. Richard Adams
The background to the dawn of the Forensic Discovery Tool - no longer requiring a human to be directly involved in the collection of potential evidence. Collections take place in parallel on the target machines without the need to install an agent. All files are reviewed rather than only those that are recognised. Email is processed on the target including all attachments. Scanned documents are identified and collected. Covert mode hides everything from the end user. Forensic artifacts collected (such as RAM, page files and registry) from running machines.
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
Lecture 09 - Memory Forensics.pdf
L E C T U R E 9
B Y : D R . I B R A H I M B A G G I L I
Memory Forensic Analysis
P A R T 1
RAM overview
Volatility overview
http://www.bsatroop780.org/skills/images/ComputerMemory.gif
Understanding RAM
• Two main types of RAM
– Static
• Not refreshed
• Is still volatile
– Dynamic
• Modern computers
• Made up of a collection of cells
• Each cell contains a transistor and a capacitor
• Capacitors charge and discharge (1 and zeros)
• Periodically refreshed
RAM logical organization
• Programs run on computers
• Programs are made up of processes
– Processes are a set of resources used when executing an
instance of a program
– Processes do not generally access the physical memory directly
– Each process has a �virtual memory space�
• Allows operating system to stay in control of allocating memory
– Virtual memory space is made up of
• Pages (default size 4K)
• References (used to map virtual address to physical address)
• May also have a reference to data on the disk (Page file) – used to
free up RAM memory
RAM logical organization
! Each process is represented by an EPROCESS Block:
Normal memory
• Each process is represented by an _EPROCESS block.
• Contained within each _EPROCESS block is both a pointer to the next process
(fLink – Forward Link) and a pointer to the previous process (bLink – Back Link).
• When OS is operating, the _EPROCESS blocks and their pointers come
together to resemble a chain, which is known as a doubly-linked list.
• Chain is stored in kernel memory and is updated every time a process is
launched or terminated.
• Windows API walks this list from head to tail when enumerating processes via
Task Manager, for example.
Not so normal
• Hides processes from windows API
• Known as Direct Kernel Object Manipulation (DKOM)
• Involves manipulating the list of _EPROCESS blocks to �unlink� a
given process from the list
• By changing the forward link of process 1 to point to the third process,
and changing the �bLink� of process 3 to point to process 1, the
attacker�s process is no longer part of the list of _EPROCESS blocks.
• Since the Windows API uses this list to enumerate processes, the
malicious process will be hidden from the user but still able to operate
normally.
P A R T 2
Introduction to Memory
forensics
Before & Now
! Traditionally
! We have always been told to �pull the plug� on a live system
! This is done so that the reliability of the digital evidence is not
questioned
! Now
! People are considering live memory forensics
" Data relevant to the investigation may lie in memory
" Whole Disk Encryption….
Challenges in traditional method
• High volume of data (Aldestein, 2006)
– Increases the time in an investigation
– Increases storage capacity needed for forensic images
– Number of machines that could be included in th ...
Types of Computer Forensics Technology, Types of Military Computer Forensic Technology, Types of Law Enforcement, Computer Forensic Technology, Types of Business Computer Forensic Technology, Specialized Forensics Techniques, Hidden Data and How to Find It, Spyware and Adware, Encryption Methods and Vulnerabilities, Protecting Data from Being Compromised Internet Tracing Methods, Security and Wireless Technologies, Avoiding Pitfalls with Firewalls Biometric Security Systems
Automated Live Forensics Analysis for Volatile Data AcquisitionIJERA Editor
The increase in sophisticated attack on computers needs the assistance of Live forensics to uncover the evidence
since traditional forensics methods doesn’t collect volatile data. The volatile data can ease the difficulty towards
investigation in fact it can provide investigator with rich information towards solving a case. Here we are trying
to eliminate the complexity involved in normal process by automating the process of acquisition and analyzing
at the same time providing integrity towards evidence data through python scripting.
Fusing digital forensics, electronic discovery and incident responseDr. Richard Adams
The background to the dawn of the Forensic Discovery Tool - no longer requiring a human to be directly involved in the collection of potential evidence. Collections take place in parallel on the target machines without the need to install an agent. All files are reviewed rather than only those that are recognised. Email is processed on the target including all attachments. Scanned documents are identified and collected. Covert mode hides everything from the end user. Forensic artifacts collected (such as RAM, page files and registry) from running machines.
Similar to computerforensics-140529094816-phpapp01 (1).pdf (20)
Explore our comprehensive data analysis project presentation on predicting product ad campaign performance. Learn how data-driven insights can optimize your marketing strategies and enhance campaign effectiveness. Perfect for professionals and students looking to understand the power of data analysis in advertising. for more details visit: https://bostoninstituteofanalytics.org/data-science-and-artificial-intelligence/
Opendatabay - Open Data Marketplace.pptxOpendatabay
Opendatabay.com unlocks the power of data for everyone. Open Data Marketplace fosters a collaborative hub for data enthusiasts to explore, share, and contribute to a vast collection of datasets.
First ever open hub for data enthusiasts to collaborate and innovate. A platform to explore, share, and contribute to a vast collection of datasets. Through robust quality control and innovative technologies like blockchain verification, opendatabay ensures the authenticity and reliability of datasets, empowering users to make data-driven decisions with confidence. Leverage cutting-edge AI technologies to enhance the data exploration, analysis, and discovery experience.
From intelligent search and recommendations to automated data productisation and quotation, Opendatabay AI-driven features streamline the data workflow. Finding the data you need shouldn't be a complex. Opendatabay simplifies the data acquisition process with an intuitive interface and robust search tools. Effortlessly explore, discover, and access the data you need, allowing you to focus on extracting valuable insights. Opendatabay breaks new ground with a dedicated, AI-generated, synthetic datasets.
Leverage these privacy-preserving datasets for training and testing AI models without compromising sensitive information. Opendatabay prioritizes transparency by providing detailed metadata, provenance information, and usage guidelines for each dataset, ensuring users have a comprehensive understanding of the data they're working with. By leveraging a powerful combination of distributed ledger technology and rigorous third-party audits Opendatabay ensures the authenticity and reliability of every dataset. Security is at the core of Opendatabay. Marketplace implements stringent security measures, including encryption, access controls, and regular vulnerability assessments, to safeguard your data and protect your privacy.
2. Computer forensics
definitions
Need for computer forensics
Cyber crime
Types of computer forensics
Components & steps in
computer forensics
Principle of exchange
Brief description of digital
evidence
Metadata, slack space, swap
files & unalloacted space
Forensic server
Initial response
Creating a forensic image
Computer forensic
methodology
Computer forensic toolkit
Encase by guidance
software
Methods to hide data
Pros & cons of computer
forensics.
3. Computer forensics
is the process of
identifying ,
preserving ,
analyzing and
presenting the
evidence in a manner
that is legally
acceptable.
Computer forensics
is the application of
computer
investigation &
analysis in the
interest of
determining potential
legal evidence.
4. The need of computer forensics in the present age
can be considered as much severe due to the
internet advancements and the dependency on the
internet. The people that gain access to the
computer systems without proper authorization
should be dealt in.
Cyber crime rates are accelerating and computer
forensics is the crucial discipline that has the
power to impede the progress of these cyber
criminals.
8. Open a case
Acquire the evidence
Create a forensic image
Index & catalogue the evidence
Analyze the data(evidence)
Save evidence to viewable drive
Create a report of findings
Admissible your report of findings to legal
proceedings.
9.
10. When seizing a stand alone computer at the crime
scene:
if the computer is “POWERED OFF” , do not
turn It ON.
if the computer is “POWERED ON” , do not
turn it OFF & do not allow any suspect or
associate to touch it.
11.
12. “..when a person commits a crime
something is always left at the
scene of the crime that was not
present when the person arrived.”
13. Volatile
any data that is stored in memory or exist in transit and
will be lost when the computer is turned off.
Volatile data might be key evidence, so it is important
that if the computer is on at the scene of the crime it
remain on.
Persistent
that data which is stored on a hard drive or another
medium and is preserved when the computer is turned
off.
14. Some forms of digital evidence are:-
Present / Active (doc’s, spreadsheets, images,
email, etc.)
Archive (including as backups)
Deleted (in slack and unallocated space)
Temporary (cache, print records, Internet usage
records, etc.)
Encrypted or otherwise hidden
Compressed or corrupted
15. DIGITAL EVIDENCE is fragile.
DIGITAL EVIDENCE is easily altered if not
handled properly.
Simply turning a computer on or operating the
computer changes and damages evidence.
Even the normal operation of the computer can
destroy computer evidence that might be lurking in
unallocated space, file slack, or in the Windows
swap file.
16. 1.Before touching the
computer, place an
unformatted or blank
floppy disk or attach an
external device to copy
all the data, and write
detailed notes about
what is on the
computer’s screen.
17. 2.Photograph the back of
the computer & everything
that is connected to it.
3. Photograph and label the
back of any computer
components with existing
connections to the
computer.
18. o If u do not have a
computer specialist
on the scene, the
safest way to turn off
a computer is to pull
the plug from the
back of the
computer.
o Disconnect all power
sources; unplug the
power cords from the
wall and the back of
the computer.
Notebook computers
may need to have
their battery
removed.
19. The following are the digital evidences always
found at a crime scene system & are the most
important part of investigation.
These include:
metadata
Slack space
Swap files
Unallocated space
20. Metadata is data about data.
Metadata is information embedded in the file itself
that contains information about the file.
Metadata does contain useful information about file
but it is limited.
Example:-author
file name , size , location
File properties
Might contain revision comments etc.
21. Space not occupied by an active file, but not
available for use by the operating system.
Every file in a computer fills a minimum amount
of space.
slack space results when file systems create a
cluster (Windows) or block (Linux) but do not
necessarily use the entire fixed length space that
was allocated.
Clusters are form because of collection of garbage
and dangling references.
22.
23. The swap file is a hidden system file that is used
for virtual memory when there is not enough
physical memory to run programs.
Space on the hard drive is temporarily swapped
with the RAM as programs are running.
This swap file contains portions of all documents
and other material a user produces while using the
computer.
24. When a user deletes a file, it is flagged as no
longer needed, but it remains on the system
until it is overwritten.
The remaining files are in unallocated disk
space, where clusters/blocks are not assigned
but may contain data.
25.
26. PHYSICAL
INVESTIGATION
It includes identifying or
locating physical
evidence such as
removal of computer
hardware or making
attempts to reach
connected physical
devices.
LOGICAL
INVESTIGATION
It is referred to as digital
investigation it means
analyzing file & data in
the system. It requires a
well defined security
policy.
27.
28. Forensic server is a system which contains forensic
toolkits for investigation with dual-bootable
window/linux installed.
The activities performed in a forensic analysis may
easily tax the average computer.
It is desirable to have as much physical RAM, as well
as a fast processor , enough drive space to hold the
operating system, several forensic tools, as well as all
of the forensic images collected from the subject’s
computer.
29. The first activity performed by law enforcement at a
physical crime is to restrict access by surrounding the
crime scene with yellow tape.
The second rule is to document the crime scene and all
activities performed.
Bag-and-tag of all potential evidence.
Search for ‘sticky notes’ or any other written
documentation near the computer.
Take any computer manuals in case they are needed for
reference back at the forensics lab.
30. The first step after acquiring digital
evidence is to create an exact physical
copy of the evidence. This copy is often
called a bit-stream image, forensic
duplicate, or forensic image. Creating a
forensic image is important for a legal
standpoint, courts look favorably upon
forensic images because it demonstrates
that all of the evidence was captured.
31. shut down the computer.
Document the hardware configuration of the system.
Transport the computer system to a secure location.
Make bit stream back ups of hard disk and floppy disk.
Mathematically authenticate data on all storage
devices.
Document the system date and time.
Make a list of key search words.
Evaluate the window swap file.
Evaluate file slack.
Evaluate unallocated space.
32. Search file slack and unallocated space for key words.
Document file names, dates and times.
Identify file, program and storage anomalies.
Evaluate program functionally.
Document every activity and findings.
33. EnCase by Guidance Software
Forensic Tool Kit by Access Data
SMART by ASR Data
The Sleuth kit(TSK)
ProDiscover by technology pathways
The image master
Data and password recovery toolkit
Maresware by Mares & Associates
DataLifter by StepaNet Communications
34. EnCase is considered as the leader in stand-alone
forensic analysis.
This means it is a bundled software package that
provides multiple forensic tools within the box.
EnCase is Windows-based and can acquire and
analyze data using the local or network-based
versions of the tool.
EnCase can analyze many file system formats,
including FAT, NTFS, Ext2/3, CD-ROMs, and
DVDs. EnCase also supports Microsoft Windows
dynamic disks.
35. EnCase allows you to list the files and directories,
recover deleted files, conduct keyword searches,
view all graphic images, make timelines of file
activity, and use hash databases to identify known
files.
It also has its own scripting language, called
EnScript, which allows you to automate many
tasks.
The EnCase Enterprise Edition is a network
enabled incident response system which offers
immediate and complete forensic analysis.
36. Some of its impressive features are:-
Enterprise Edition – Centralized monitoring and
real-time investigation.
Snapshot – Capture of RAM contents, running
programs, open files and ports.
Organizes results into case file & provides case
management for multiple cases.
Maintains chain of custody.
Tools for incident response to respond to emerging
threats.
Supports real-time and post-mortem investigations.
37. It consists of three components:
The first of these components is the Examiner
software. This software is installed on a secure system
where investigations are performed.
The second component is called SAFE, which stands
for Secure Authentication of EnCase. SAFE is a server
which is used to authenticate users, administer access
rights, maintain logs of EnCase transactions, and
provide for secure data transmission.
The final component is Servlet, an efficient software
component installed on servers to establish
connectivity between the Examiner, SAFE, and the
devices being investigated.
38.
39.
40.
41.
42.
43.
44.
45. Encryption
Using a key algorithm to convert simple text into
cipher text.
Changing the file extension
changing a .docx to .jpg file.
Steganography
Steganography simply takes one piece of
information and hides it within another. Computer
files, such as images, sound recordings, and slack
space contain unused or insignificant areas of data.
46.
47.
48.
49. With its help, we can
catch criminal.
Can prevent data theft.
Recover hidden &
deleted files.
Computer forensics
ethics let the
investigation process
remain in legal rules &
laws.
Privacy of client is
compromised.
some sensitive data or
information that is
important to the client
may be lost in order to
find the evidence.
It is an expensive
process.