Welcome to the Live Memory Forensics class! This is an introduction to live memory forensics It is designed for the investigator who has digital forensic experience, and who has intermediate ability with the Microsoft Windows operating system

1. Mehedi Hasan
Cyber Security and Digital forensic specialist

2.  Welcome to the Live Memory Forensics class!
 This is an introduction to live memory forensics
 It is designed for the investigator who has digital
forensic experience, and who has intermediate
ability with the Microsoft Windows operating
system

3.  Your Instructor is Mehedi Hasan.

4.  Module 1 – Live Memory Basics
 Module 2 – Windows Memory Model
 Module 3 – Live Memory Acquisition
 Module 4 – Introduction to FastDump Pro
 Lab 1 – Creating a Memory Dump File using FDPro
 Module 5 – Webmail Investigation
 Lab 2 – Creating a New Physical Memory Snapshot
Project
 Lab 3 – Webmail Investigation

5.  What is live memory?
 How to recognize it?
 How does it work?
 How is it organized?

6.  What is Live Memory?
 Live memory is the random access memory
(99.99999% of the time) used by the CPU to store
data and programs that it manipulates.
 There are different types of memory…

7.  Types of Memory used?
 RAM (random-access memory): This is the main
memory. RAM is volatile memory, which means that
it requires power and refresh to maintain its
contents.
 ROM (read-only memory): Systems usually contain
some read-only memory that holds instructions for
booting up the computer. ROM memory cannot be
changed, it is non-volatile.
 PROM (programmable read-only memory): A
PROM is essentially a ROM memory chip which you
program out of the factory once. Like ROMs, PROMs
are non-volatile.

8.  Types of Memory used?
 EPROM (erasable programmable read-only
memory): An EPROM is a special type of PROM that
can be erased by exposing it to ultraviolet light.
 EEPROM (electrically erasable programmable read-
only memory): An EEPROM is a special type of
PROM that can be erased by a special electrical
charge.
 CMOS (Complimentary Metal Oxide
Semiconductor) CMOS usually refers to the non-
volatile RAM (NVRAM).

9.  Random access memory (RAM) memory is
made of a transistor and a capacitor.
 A good jury description would be a bucket that
holds water (the charge). However the bucket
has a small hole and constantly loses water. To
keep the bucket full, every so often you have to
keep pouring water into the bucket, this is
called “Refresh”.

10.  The faster the memory loses charge, and the
faster it can be recharged, determines the
memory speed.

12.  Memory is written one byte at time
 Power is applied to the two connections, and
charges the memory cell
0 0 0 0 0 0 0 0

13.  Byte value = 10010101
1 0 0 1 0 1 0 1

14.  Byte value = 11001000
1 1 0 0 1 0 0 0

15.  Byte value = 00001000
0 0 0 0 1 0 0 0

16.  Byte value = 00110001
0 0 1 1 0 0 0 1

17.  The CPU reads and writes to RAM (technically,
the CPU reads and writes to Cache, that then
reads and writes to RAM)
 Every memory location has a unique address
 This leads us into the murky world of how
Microsoft Windows manages memory (more
on this later…)

18. Section 2

19.  Physical Memory refers to the hardware view
of memory
 Only one view of physical memory
 Virtual Memory refers to virtualized OS views
of memory
 There can be many different virtual memory spaces

20. Virtual Memory
Physical Memory
Memory (RAM)
Operating System

21.  Can provide process memory isolation
(security)
 Allows more “logical” memory by increasing
the addressable space (each 32-bit process gets
its own 4GB of virtual memory).
 When combined with paging, can increase the
total available memory (more on this later).

22.  Sum of all virtual memory
2 GB Memory (RAM)
4GB 4GB 4GB 4GB 4GB 4GB
Physical Memory
Virtual Memory
6 x 4GB = 24 GB of Logical Memory
OS

23.  The upper 2GB* of
every Virtual Memory
space is reserved for
the Windows Kernel
to use. It is not
accessible to user
mode processes.
 * Note: except with the rarely used /3GB
switch
0 GB
4 GB
2 GB
Kernel Memory
User Memory

24.  The OS utilizes CPU features to create page
directories and page tables which can be used
to divide physical memory among multiple
virtual memory spaces

25. PhysicalMemory
Virtual Memory for Process A
Virtual Memory for Process B
Virtual Memory for Process C
PageDirectoriesandPageTables
0 GB
2 GB
0 GB 4 GB
0 GB
0 GB
4 GB
4 GB

26.  Paging to the hard disk drive (SLOW!)
 Pagefile.sys

27.  When Physical Memory is getting full, the least
used pages of memory are written to disk
 When those pages are needed again, they are
read back into Physical Memory and some
other pages are written to disk. This is called
Swapping.
 Swapping reduces system performance.

29.  To get a complete collection of memory you
need to collect two pieces:
 Physical Memory
 The on-disk pagefile

30.  Programs can allocate virtual memory
dynamically
 The size can range from a single byte to several
GBs (or 8192 GBs in x64 OS versions)

31.  The Windows kernel uses a data structure
known as Virtual Address Descriptors (VADs)
to track virtual memory allocations
 Responder™ combines this information with
page table data for each process, and displays it
in the Memory Map detail panel

32. Memory Block
Individual Pages for this Block
Block Length
Unreferenced Pages

33. Section 3

34.  Goal – Be minimally invasive to suspect machine
1. DO NOT acquire RAM to the local system hard drive
 Invasive – possibly destroy important data
2. Use external thumb drive – (USB Mass Storage Device)
3. Image the RAM to sterile media
 Freshly wiped drive preferably with all zeros.
 Reformat the drive to NTFS
 FAT32 file system has 2GB file size limitation
 FDPro cannot split up the file into chunks
 Generate MD-5 hash at time of collection – save with memory
image
 Used to verify integrity of file to that point in time.

35.  Software creates a “smear” image
 Not a “true” duplicate image
 This process is not reproducible
 In order to create a “true” image
 Hardware is required
 Virtualization can “pause” the processor
 Crash Dump
 Hibernation file (hiberfil.sys)

36.  Software used to dump physical RAM
 HBGary FastDump™ and FastDump™ Pro
 Fastdump (free)
 Windows 2000 – 2008 Server, Windows 7
 32-bit
 6GB maximum file size
 FastDump™ Pro
 Windows 2000 – 2008 Server, Windows 7
 32- and 64-bit
 64GB+ tested maximum file size

37.  When collecting the tools to image live
memory, you need to anticipate the likely
possibilities of what you will encounter on the
source end.
1. Will your imaging tool run on the source computer
(the computer where you want to image the live
memory)?
2. Will the destination storage device be recognized by
the source computer? Can you save the image on a
storage device?

38.  Is there a way to run FastDump Pro?
 USB 1.1, 2.0 or 3.0 port
 Place FastDump Pro on a USB storage device such as a
thumb drive, or external USB hard drive.
 CD/DVD-ROM drive
 Place FastDump Pro on a CD/DVD-ROM. It does not
have to be bootable.

39.  Is there a way to run FastDump Pro?
 FireWire port – 400/800
 Place FastDump Pro on a external FireWire hard drive
 PCMCIA or CardBus port
 Place FastDump Pro on a CardBus flash card or hard
drive. There are several cards that use a Compact Flash
media card for storage.
© 2010

40.  Does it have a way to attach a storage device for
memory dumping?
 The amount of storage should be 10-15% larger than
the biggest amount of memory you expect the
computer to have.
 In today’s world (the year 2012) 8GBs is safe.
 Keep in mind you should have something that has
more than 8GBs to call on when needed.
 Speed can also be an issue
 Thumb drives can be slow

41.  Windows does not create files larger than 4GBs on
Windows 2000 or Windows XP operating systems
using FAT32.
 FAT32 has a limit of 4GBs for a single file
 Format your destination drive with NTFS if possible.
 Carry a second drive with FAT32 formatting

42.  Buy a moderately fast USB 4-8GB thumb drive. It
should conform to the USB Mass Storage
specification.
 Format it with NTFS and place FDPro.exe on it.

43. Section 4

44.  FastDump Pro™ (FDPro™) is a command-line
based memory dumping utility that comes
packaged with both the Responder™
Professional and the Responder™ Field
products. A copy of FDPro.exe is located in the
FastDump folder in the directory where
Responder™ is installed on the local hard
drive.

45.  FDPro™ supports:
 all versions of the Windows™ operating systems
and service packs (2000, XP, 2003, Vista, 2008 Server,
7) 32- and 64-bit, including systems with more than
4GBs of RAM (up to 64GBs of RAM).
 acquisition of the Windows™ pagefile included with
the acquisition of RAM.
 a variety of memory probing features that can assist
with malware analysis.

46.  To peform a RAM dump:
 Command: fdpro.exe c:memdump.bin
 Action: FDPro.exe acquires the local system physical
memory to the file c:memdump.bin in
literal/standard .bin format using the default 1MB
read/write sizes.
 Command: fdpro.exe c:memdump.bin –
strict
 Action: FDPro.exe acquires the local system physical
memory to the file c:memdump.bin in
literal/standard .bin format using the strict 4kb
read/write sizes.

47.  To perform a RAM and Pagefile dump:
 Command: fdpro.exe c:memdump.hpak
 Action: FDPro.exe acquires the local system memory
into the HPAK archive file c:memdump.hpak using
the default 1MB read/write sizes
 Command: fdpro.exe c:memdump.hpak –
strict
 Action: FDPro.exe acquires the local system memory
into the HPAK archive file c:memdump.hpak using
the strict 4kb read/write sizes

48.  The goal of Process Probe is to force all executable code
into RAM for one or all processes on the system.
 This includes code that is swapped out to the
Pagefile.sys, and code still contained in the executable
on disk but not in use. This code is called into RAM
prior to the acquisition of physical memory.

49.  Because Process Probe provides the
investigator with a more accurate and complete
picture of the executable code and the data.
 The process probe feature allows the
investigator to control what memory is “paged-
in” to RAM from SWAP and the File System
before FDPro performs RAM acquisition.
 The Probe feature even forces code from the file
system into RAM for a specific process.

50.  User Process Probe
during any LIVE
network intrusion
investigation,
malware analysis
case, or computer
forensic investigation
where the running
applications on the
computer could play a
role
 . Applications include:
 Instant messengers
 IP telephony
 Internet browsers
 Malware
 Encryption applications
 Databases
 Media players
 Encrypted data
 Passwords
 Unencrypted chat sessions
 Documents
 Emails
 Internet searches
 Internet postings
 Password protected websites

51.  When using the –probe smart feature,
FDPro.exe walks the entire process list and
makes sure all code is called into RAM,
resulting in the ability to recover almost 100%
of the user-land process memory by causing
these pages to be activated and paged-in on the
fly.

52.  Forensic best practices dictate that an
investigator or analyst should always acquire
RAM and Pagefile without running the -Probe
Feature.
 After freezing the current state of RAM, the
investigator/analyst should run FDPro again
using the -probe Feature. Even when
grabbing the pagefile, the -probe feature
forces unused code from the file system into
RAM.

53.  Example steps:
1. Arrive at server or workstation suspected in the
computer incident or forensic investigation
2. Collect RAM to “freeze the runtime state of the
machine”. This is a full RAM image with Pagefile
 If you’re doing any sort of malware analysis,
Reverse Engineering, or know for a fact that you
will never have to use the RAM acquisition in
litigation, then you can go ahead and probe –
smart on your very first image to save you time.
 Note: This technique instruments a larger footprint in RAM
than only performing a memory acquisition.

54.  To probe processes into memory and RAM:
 Command: fdpro.exe c:memdump.bin –probe all
 Action: fdpro.exe probes all processes into memory before
acquiring the local system memory into the file
c:memdump.bin
 Command: fdpro.exe c:memdump.bin –probe smart
 Action: fdpro.exe probes only user processes into memory
before acquiring the local system memory into the file
c:memdump.bin
 Command: fdpro.exe c:memdump.bin –probe pid 123
 Action: fdpro.exe probes process with PID 123 into memory
before acquiring the local system memory into the file
c:memdump.bin

55.  Take a snapshot to the local hard drive
 C:fdpro.exe c:RAMdump.bin
 Copy (using drag-and-drop) from VMware
 Field option – take snapshot to USB drive
 Add USB controller via Hardware Panel if needed
 No perturbation of the local hard drive

56.  Complete Lab Exercises 1 & 2
 30 minutes to complete lab exercises

57. Section 5

58.  Goal: Identify artifacts that lead you to other
pieces of information
 Finding bread crumbs, then following the bread
crumbs…

59.  Try to find objects and artifacts that tell you:
 Who, What, Where, When, Why, How

60. Who?
• Names of People
•Email addresses
What?
•Project Names
•Filenames
•File format(s)
•Usernames
•Passwords
When?
• Dates
• Times
Where?
• Domains
• URLs
How?
Carefully
create a
search term
list
Spending time
up front can
save lots of time
on the back end

61.  Approach:
 Knowledge is helpful…
 Google: “skype”
 What is it?
 How is it used? How does it work?
 Why is my suspect using it?
 Is there data in memory that might not be available by
performing disk based forensics?

62. • Create a list of things you know
 Names involved in the investigation
 Domain names
 Project names
 Filenames
 Websites
 Applications in question
 Office applications
 Internet browser
 Encryption
 Chat

63.  Start with the browsers…
 Internet Explorer
 Firefox
 Opera
 Google Chrome

64.  Then go to browser artifacts
 Web sites visited
 Files downloaded
 Dates and timestamps

65.  Things to consider
 Web server applications act differently
 Gmail stores passwords differently than hushmail.

66.  Search terms that can be used
 gmail.com
 @hotmail.com
 @yahoo.com
 @hushmail.com
 Attachment
 &passwd=
 &login=
 messageID=

67.  More…
 Mail applications
 Chat Applications
 Names of Webmail Services
 Email addresses
 Passwords
 Content of emails
 Dates & Time Stamps
 Web Sites Visited – History
 Attachments

68.  First Steps - Browse and collect
 Browse the list of processes and applications
running…
 Do I see internet browsers? Yes.
 Do I see any instant messenger applications?
 Do I see any other applications that might be useful for
my investigation?
 Add Artifacts to your Report
 Export to excel
 Right click send to report

69.  Focus: Intellectual Property Investigation
 Type: Private data sent via Email
 Description: Search for indications of files,
email addresses, and other related info to the
data theft.

70.  Beginning a search based on suspicion
 Press release from competitor having similar data
 Searching for private content
 What do we search for?
 Understanding search hits
 Process name/module/unidentified
 Adding webmail data/artifacts to the report

71.  Beginning a search based on suspicion
 Press release from competitor having similar data
 FIRST - Search for content we know
 We know we are looking for “Pluripotent”
 Searching for email addresses to corroborate
suspicion
 Search terms (@gmail.com, gmailchat=
 Understanding search hits
 Process name/module/unidentified
 SECOND - Search for content we learn
 Adding webmail data/artifacts to the report

72.  Complete Lab Exercise 3
 30 minutes to complete lab exercises