Tuesday, February 23, 2010

RAM(memory) analysis

What is stored in ram? Programs? Yes. Can you think of anything else? Well let me introduce you to a crucial aspect of almost every digital forensics investigation. Digital forensics doesn't stop at hard drive analysis as most indiviuals may assume but in many cases (most) when applicable, the RAM is also investigated. RAM can reveal many things that a hard drive wouldn't. Put simply, a hard may contain pieces of the entire puzzle and the RAM may contain the remaining pieces. Just as an example. If a user sent an email to someone using some outlook and deleted stored copy of from the "sent emails" folder, how would you attempt to recover that? First off, you probly wouldn't even have a clue that it exists. The hard drive would have information about outlook being used but the information ends there. Chances are that you wont be able to recover such info from the hard drive in this case but all is not lost. Back to the original question i started off with, What is stored in RAM? Alot on things to be put in one sentence. You can find programs, passwords, web pages, pictures, documents etc. These represent files and programs that were accessed from the time the system was started and been up and running. This means that you can recover files from RAM. Yes, you can use a method in which you can carve the files out of memory, using similar recovery techniques used in hard drives to recover data.

I'm gonna go through a simple demonstation, from obtaining RAM and tools you can use to analyze or carve files out of memory.

This is a windows based command line tool that can dump the contents of RAM fairly fast.
command: mdd.exe -o ramimage.img

After mdd has dumped the RAM, i then upload it to a typical linux distro for analysis (I use Backtrack 4).

I then can use the "strings" command and pipe the output to the "grep" command to search for keywords like 'password', 'vb_login', 'md5_password', 'confidential', 'secret' etc.

To get an idea of the websites browsed/visited in the time the machine was booted i like to use the following :
  • #strings diskimage.img | grep "Visited:" |more
  • #strings diskimage.img | grep "Referer:" |more
A more advanced utility that i find very useful is the Volatility frame work. Its a python based suite of tools used to parse RAM dumps for more specific information. This includes a listing of all currently running processes, a listing of running services and open ports (equivalent to the netstat command), lists the loaded dlls, lists open files and much more. Its more for the advanced user so i wont get into it but its not that very hard to use. Oh, in Windows XP service pack 3 (or 2, cant remeber which), you can get the SAM hashes from the acquired memory image.

xxd can be a usefull utility that gives you an alternative way to view memory.
#xxd diskimage.img|more

To carve files out of RAM i use scalpel or foremost. These programs allow you to carve files by first identifying special bytes that indicate the potential file types for files. The header and footer information may also be needed to carve out the entire file itself.

Autopsy is a more enterprise suite that combines ease of use and a nice interface into the methods that were discussed earlier. It groups investigations into cases and keeps everything you do organized. This tool is used by many professional organizations for investigating cyber crimnals, etc. but shouldn't be used by itself as an entire forensics solution.

No comments:

Post a Comment