Many times, my friends and my colleagues have asked me regarding how-to’s and what is it that one can finally get out of the Memory Forensics ???
In the year 2006/2007, i did however was able to extract the WinZip password of a given archive from the memory.
there are many applications currently in use, i don’t want to name them specifically, again you can call it a Treasure Hunt.
There was a Demonstration in 2007/2008 by students of Princeton University, which can be found here
this demonstrated how one can easily find and recover the encryption keys for the WDE/FDE encryption softwares.
However, we will be focussing on Memory Forensics and Analysis here.
so, first things first…
Acquiring the volatile memory contents from a system is a relatively new trend to acquire, and when it comes to collecting volatile data. It wasn’t until the recent years that we learn how to analyze this data in order to extract the valuable data contain within the volatile memory.
The Treasure or the valuable data that can be found inside the memory consist of the following, not limited to…
- Unencrypted password’s
- Current processes and loaded DLLs
- Network connections / Sockets
- Registry entries / hives that were loaded at the time this memory dump was taken
- Malware – Adwares – Keyloggers – Traces and Handles / hooks to the Kernel
For, Acquiring this memory dump, there are lot of tools available like:
FTK Imager, DumpIt, FastDump, DD, MemDump…etc
There are also some Firewire based techniques, however, not all Server’s or Desktops have them enabled either Physically wired to the cabinet from the motherboard, and some just don’t exist.
Will continue further…
Hope this helps!