Scribd
Upload
107 views15 pages

Memory Forensics with FTK Imager

The document discusses memory acquisition and analysis techniques. It covers topics like memory volatility, available memory tools like FTK Imager and Redline, and analyzing memory files and processes. Specific artifacts to search for are also listed, like emails, passwords, and IP addresses. Methods for acquiring memory like capturing swap files are demonstrated.

Uploaded by

DA MV
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
107 views15 pages

Memory Forensics with FTK Imager

The document discusses memory acquisition and analysis techniques. It covers topics like memory volatility, available memory tools like FTK Imager and Redline, and analyzing memory files and processes. Specific artifacts to search for are also listed, like emails, passwords, and IP addresses. Methods for acquiring memory like capturing swap files are demonstrated.

Uploaded by

DA MV
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

George Mason University 1

Memory Forensics
▪ HW4 ?s

▪ Class Lecture
▪ Memory Acquisition & Analysis

2
3
Memory Acquisition
❑ Understand the order of memory volatility
❑ Memory tools for memory access
❑ FTK Imager
❑ Redline

❑ Analyzing memory files


❑ Pagefile – what to look for?
❑ Enumerating memory processes
❑ What does normal look like?

4
Registers

SRAM (L1, L2, L3, L4


cache)

DRAM (main memory)

Hard drives (SSDs, HDDs)

Tape, Offline Storage


5
▪ Evolving technology is mandating the need for acquiring
more volatile data
▪ Binaries operating primarily in memory

▪ Other useful artifacts residing in memory

▪ Encryption

▪ Too time consuming to image entire system

6
▪ [Link] – hibernation file created when you put system
to ‘sleep’

▪ [Link] – virtual memory file created when a process


requires more RAM space that is not available

▪ [Link] – same as [Link]; term primary used in


Linux vice Windows

7
▪ FTK Imager – Exterro
▪ dd/DCFLdd
▪ Redline
▪ Volatility (memory analysis)
▪ Linux Memory Extractor** (LiME)
▪ Google Rapid Response (GRR)
▪ And many others…

8
* Memory tools may not work the same from one OS version to the next due to OS updates which may affect memory organization.
** Also known as Loadable Kernel Module (LKM)
Step 1

▪ Use a memory tool (we’ll be


using FTK Imager)
▪ Ensure we have files visible
▪ Copy files to an external drive
(e.g., not on the system which
you are collecting)
▪ What to look for: Step 2
▪ Emails
▪ IP addresses
▪ Passwords
▪ And much more… 9
▪ 3 Collection modes
▪ Standard Collector,
▪ Comprehensive Collector,
and
▪ IOC Search Collector
(Windows only)
▪ Output files can be fed into the
Volatility framework for
analysis*

10
*As long as a profile exist; meaning you may have to create one for any new or updated OS’s
▪ Enumerate processes
▪ What handles1 are present?
▪ Are there any mutexes2 present?
▪ Aside from the typical:
▪ Computer name, ▪ Which files have access to mutex?
▪ Passwords, ▪ In Windows we check:
▪ IP addresses ▪ How many lsass processes are there? (there should only be 1)
▪ Etc. ▪ Do we see any misspelled processes?
▪ Presence of a VM?
▪ [Link] (caution!) vs. [Link] (we should be good!)
▪ More than one OS found?
▪ What’s the PID for ‘[Link]’ (should always be 4!)
▪ What’s the PPID for ‘[Link]’ (should always be [Link]!

Handle – abstraction from a resource that one or more processes may be accessing; the resources is managed by the OS (or possibly a database)
Mutex – is essentially a lock that a process will posses when it is accessing a shared resource. Only one process may use the resource at a time so the mutex is used to ensure that occurs. 11
1. Before you begin – ensure you have saved all of the content on your system!
▪ (In case your system crashes)

2. Capture the swap file on your system using FTK Imager. (see screenshot from previous
page)
3. Using a hex editor (e.g., HxD), search for:
▪ Content you have recently accessed (e.g. [Link], [Link], etc.)
▪ Your user name
▪ Passwords (try typing “pass” in the search)
▪ Recently run executables

4. Document what you find (do not share any sensitive information such as passwords, IP
addresses, user names, etc.) with one or two snapshots.
5. Upload your documentation on BB (under Course Content → Memory Assignment)

6. Your document should be only 0.5 – 1 pages long (including snapshot) 12


▪ Next week’s class will meet virtually via Zoom.
▪ Check BB and email for link
▪ Send me any topics you would like to revisit no later than Monday, May 2
12noon (ET) –
▪ time permitted, we may cover these after we have done our last lecture (Python –
generators, iterators)

▪ HW4 due next week – NO LATE SUBMISSIONS ACCEPTED

▪ File to analyze before final released next week Thursday (with password)

▪ Final Exam, Thursday, May 12, 2022


▪ Administered on BB from home
▪ Test goes live at 12am (ET)
▪ Time limited (90 minutes) – from the time started
▪ Due by 11:59pm (ET) 13
14
Memory volatility
▪ [Link]
▪ [Link]

Memory Tools
▪ [Link]
▪ [Link]
▪ [Link]
▪ [Link]
▪ [Link]

Memory Analysis
▪ Ligh, M. H. (2014). The art of memory forensics: Detecting malware and threats in windows, linux, and mac memory. Wiley.
▪ Arpaci-Dusseau, Andrea C. “Locks.” Operating Systems: Three Easy Pieces, Arpaci-Dusseau Books, Madison, 2018. (mutex reference)
▪ [Link] (what is a handle?)
▪ [Link] (Windows [Link])
▪ [Link] (Windows service host)

15

You might also like