Memory Forensics :: Treasure Hunt inside 0’s and 1’s ::

Hey Fellas,

Many times, my friends and my colleagues have asked me regarding how-to’s and what is it that one can finally get out of the Memory Forensics ???

In the year 2006/2007, i did however was able to extract the WinZip password of a given archive from the memory.

there are many applications currently in use, i don’t want to name them specifically, again you can call it a Treasure Hunt.

There was a Demonstration in 2007/2008 by students of Princeton University, which can be found here

https://citp.princeton.edu/research/memory/

this demonstrated how one can easily find and recover the encryption keys for the WDE/FDE encryption softwares.

However, we will be focussing on Memory Forensics and Analysis here.

so, first things first…

Acquiring the volatile memory contents from a system is a relatively new trend to acquire, and when it comes to collecting volatile data. It wasn’t until the recent years that we learn how to analyze this data in order to extract the valuable data contain within the volatile memory.

The Treasure or the valuable data that can be found inside the memory consist of the following, not limited to…

  • Unencrypted password’s
  • Current processes and loaded DLLs
  • Network connections / Sockets
  • Registry entries / hives that were loaded at the time this memory dump was taken
  • Malware – Adwares – Keyloggers – Traces and Handles / hooks to the Kernel

For, Acquiring this memory dump, there are lot of tools available like:

FTK Imager, DumpIt, FastDump, DD, MemDump…etc

There are also some Firewire based techniques, however, not all Server’s or Desktops have them enabled either Physically wired to the cabinet from the motherboard, and some just don’t exist.

Will continue further…

Hope this helps!

Thanks

Nitin Kushwaha

RHCSA.RHCE.CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL

Advertisements
Categories: Basics, ComputerForensics, DigitalForensics, Googled, Hacking, Hot and Latest, IncidentResponse, Microsoft Windows, MyOwn, Personal, Press Info, Registry, Techno, Uncategorized, Unix | Leave a comment

Post navigation

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: