Memory Forensics
2 likes36,732 views
Varun Nair gave a presentation on memory forensics. He discussed forensic fundamentals like digital forensics involving recovering data from digital devices. He outlined an action plan for responding to incidents, noting the differences between live and dead forensics approaches. For dead forensics, an exact copy is made of storage media with the least chance of modifying data but live data is lost. Live forensics focuses on extracting volatile data and uses the system, but may impact the machine state. He demonstrated collecting memory dumps using DUMPIT and analyzing them using WinHex and Volatility Framework.
![Forensics Fundamentals
O Digital forensics (sometimes known as digital forensic
science) is a branch of forensic science encompassing the
recovery and investigation of material found in digital
devices, often in relation to computer crime.
O "Gathering and analysing data in a manner as free from
distortion or bias as possible to reconstruct data or what
happened in the past on a system [or a network]“
-Dan Farmer / Wietse Venema](https://image.slidesharecdn.com/memoryforensics-140120045050-phpapp02/85/Memory-Forensics-5-320.jpg)
Memory Forensics
- 1. आज का आहार Memory Forensics Varun Nair @w3bgiant
- 2. #whoami O Security enthusiast. O For food and shelter, I work with ZEE TV O For living, I learn 4N6, Malwares and Reverse Engineering O Recent developments: O Chapter lead at Null, Mumbai chapter.
- 3. If you listen!!!!! O Forensics Fundamentals O Action Plan O Order of Volatility O Methodologies O Dead Forensics O Live Forensics O Demo
- 4. ELSE!!!!
- 5. Forensics Fundamentals O Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. O "Gathering and analysing data in a manner as free from distortion or bias as possible to reconstruct data or what happened in the past on a system [or a network]“ -Dan Farmer / Wietse Venema
- 6. Action Plan- First Response Arrive on Crime scene Machine state = OFF DEAD FORENSICS Machine state = ON LIVE FORENSICS
- 7. Order of Volatility MOST ….. LEAST • CPU, cache and register content • Routing table, ARP cache, process table, kernel statistics • Memory • Temporary file system / swap space •Data on hard disk •Remotely logged data •Raw Disk Blocks
- 8. Forensics Methodologies O “LIVE” Forensics O “DEAD” Forensics
- 9. DEAD FORENSICS O The dead analysis is more common to acquire data. O A dead acquisition copies the data without the assistance of the suspect’s (operating) system. O Analysing a “dead” system that has had it’s power cord pulled.
- 10. DEAD FORENSICS O During data acquisition an exact (typically bitwise) copy of storage media is created. O Least chance of modifying data on disk, but “live” data is lost forever.
- 11. LIVE FORENSICS O Focuses on extracting and examination of the volatile forensic data that would be lost on power off O A live acquisition copies the data using the suspect’s (operating) system O Live forensics is not a “pure” forensic response as it will have minor impacts to the underlying machine’s operating state – The key is the impacts are known
- 12. LIVE FORENSICS O Often used in incident handling to determine if an event has occurred O May or may not proceed a full traditional forensic analysis O If you work on a suspect’s system you should boot/use trusted tools (e.g. CD, USB stick):
- 13. LIVE FORENSICS THE IMAGE WILL HAVE NO AUTHENTICITY No two images can have the “same hash value”
- 14. Forensic Response Principles – Maintain forensic integrity – Require minimal user interaction – Gather all pertinent information to determine if an incident occurred for later analysis - Enforce sound data and evidence collection
- 16. In MEMORY data?? O Current running processes and terminated processes. O Open TCP/UDP ports/raw sockets/active connections. O Caches O -Web addresses, typed commands, passwords, clipboards, SAM databases, edited files. O Memory mapped files O -Executable, shared, objects(modules/drivers), text files.
- 17. DEMO O Collecting Memory dumps: DUMPIT by MOONSOLS O Analysing Memory dumps: WinHex and Volatility Framework 2.3
- 18. और कोई सवाल