Friday, 29 November 2013
One comments

Forensic Memory Analysis And Techniques For Windows, Linux And Mac OS

Forensic Memory Analysis And Techniques For Windows, Linux And Mac OS

, By Rafael Souza (Founder of “Wikileaks and Intelligence”).

Due to the increased number of cases of cyber-crimes and intrusions, along with the storage capacity of hard disks and devices, it was necessary to extend the techniques of computer forensics, currently works consist in collection and analysis of static data stored hard drives, seeking to acquire evidence related to the occurrence of malicious activities in computer systems after its occurrence.
With the evolution of technological resources and the popularity of the Internet, it has become impractical to maintain only the traditional approach, due to the large volume of information to be analyzed and the growth of digital attacks. In this context, the analysis of data stored in volatile memory comes up with new techniques, it is necessary to check the processes that were running, established connections, or even access keys encrypted volumes, without causing the loss of sensitive information to the investigation, thus allowing the recovery of important data to the computer forensics.

Memory forensics is a promising technique that involves the process of capturing and analyzing data stored in volatile memory. Since, by volatile memory, which means that data can be lost on system shutdown, or can be rewritten in the normal functioning of the same. This characteristic of constant flux, the data in memory are usually less structured and predictable.

Data contained in the memory
The overview of the information stored in memory, everything is running on a computer is stored temporarily in memory, either in volatile memory, the paging file is related to virtual memory. By extracting an image of memory known as 'dump' memory is possible to identify the relationship of the running processes, it is possible to establish a relationship between the processes in order to identify which processes have started other processes, likewise, is feasible to identify which files, libraries, registry keys and sockets that were in use by each process. In summary, it is possible to map how the system was being used when generating the 'dump' memory and also recover executable programs stored in memory.

More information about “Dumps”
This is the method currently used by the experts in computer forensics to acquire the contents of RAM.
There are several programs that help the image acquisition memory system, this work. These tools make reading memory bit-by-bit and copy its contents to a file, the "dump" of memory. This file will have the same physical memory size of the system.
What should be taken into account, regardless of the tool being used, is that, as shown by the "Locard Exchange Principle", when an acquisition program dump is executed, it must be loaded into memory, meaning it will traces, and that some of the memory space that could contain valuable information will be used, and can even lead to changes in the area occupied by processes to paging files. Furthermore, while the tool is reading the contents of the memory, the status of the system is not frozen, which means that while some pages are being copied, and others may be changed if the process is that use is still running, for example. What will define the time spent to collect the image are factors such as processor speed, bus fees and operations in and out of the disc.

Creating "Forensic Image" with FTK Imager

FTK Imager is a free tool provided by Access to Data acquiring forensic images. The tool allows you to create, mainly disk images…Besides creating forensic disk images, we can perform memory dumps and even perform a forensic analysis on the small image created. There are many other fucionalidades you will discover when you are working with it. The FTK Imager was created by the company AccessData and is free.

Well, I'm looking for a simple and practical way to demonstrate these concepts. Let's click on the "File" menu and click the "Create Disk Image" and choose which disk or partition, or we will make the image. To choose the option to perform a forensic image of the disc, we will on the "Physical Drive”, if we want to make the image of a partition, let the option "Logical Drive". Look the pictures below:

Figure 1) FTK Imager.

Figure 2) Logical Drive.

Figure 3) Physical Drive.

Then I'll do the forensic image of a USB stick plugged into my machine, and also choose the option "Physical Drive ". Can I choose which device I want to make the image and then I click on the "Finish" button.

Figure 4) Select Drive.

Now click on "checkbox Verify images after area They created". With this option selected, the tool will calculate the "hash" MD5 and SHA1 image created after that, click the "ADD" button.

Figure 5) Create Image.

Let's select "RAW", to perform forensic image format which is the tool of "DD" and click "Next".

Figure 6) Select RAW.

Will request some information on evidĂȘncia. We can fill these information . After that, click on "Next". 

Figure 7) Evidence Item Information.

Figure 8) Select Image Destination.

We will choose the output directory (where the forensic image is saved). "Image Filename" is where you must enter the filename of my image. In the "Image Fragment Size" I can put zero because I do not want my fragmented image. If I wanted to break into pieces, I put this field size in MB that every piece of my image would have. After that , just click on the "Finish" button.

Figure 9) The output directory.

Just click on the "Start" button.

Figure 10) Create Image.

Figure 11) Image Sumary.

When the process of image acquisition forensics has finished , we can display a summary with various information.
In the same directory where the image was stored was created a “txt”, which is like a log , which has the same summary information.

Extraction of digital artifacts with Volatility:
Volatility is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of samples of digital artifacts from volatile memory (RAM).

The tool supports a variety of formats "dump", performs some automatic conversion between formats and can be used on any platform that supports Python. Installation and use are simple, simply unzip the package supplied by Systems Volatility in a system where Python already installed.
C:\Volatility>python volatility 

Figure 1) Supported Internel Comands.
Example: volatility pslist -f /path/to/my/file

Figure 2) Use the command volatility
The image 3 shows the use of the command "ident", which can be used to identify the date and time the image was collected, as well as providing information about the operating system on which the dump was generated:
C:\Volatility>python volatility ident –f C:\memorytest_rafael_fontes.dmp


Figure 3) Command ident.
You can use the --help option with any command to get help:
C:\Volatility>python volatility ident –-help

Figure 4) Option Volatility help tool.

To list the processes that were running at the time it was generated dump can use the "pslist." As can be seen below, the output will contain the name of the process, its identifier (Pid) and father process ID (PPID) beyond the time when it was started and other useful information.
C:\Volatility>python volatility pslist –f C:\memorytest_rafael_fontes.dmp

Figure 5) Use the command pslist.

The "connscan" provides information about the network connections that were active at the time the data were collected memory. Already the "sockets" displays the open sockets at the time the dump was generated. The command "files" displays open files for each process. You can specify the case number on the command line to display only those files opened by a particular process.
C:\Volatility>python volatility files –p 1740 –f C:\ memorytest_rafael_fontes.dmp

Figure 6) Use the command files.

The command "dlllist" displays a list of DLLs loaded for each process, and the command "regobjkeys" displays a list of registry keys opened by each process.
C:\Volatility>python volatility dlllist –p 1740 –f C:\memorytest_rafael_fontes.dmp

Figure 7) Use the command dlllist
C:\Volatility>python volatility regobjkeys –p 1740 –f C:\memorytest_rafael_fontes.dmp

Figure 8) Use the command regobjkeys.

It is possible, through command "procdump" extracting executable from the dump of memory, allowing access to the code that was running on the machine, and thus better understand their behavior.
C:\Volatility>python volatility procdump –p 1740 –f C:\ memorytest_rafael_fontes.dmp

Figure 9) Use the command procdump.
It was possible to observe the generation of executable "executable.1740.exe" and the occurrence of informational messages like "Memory Not Accesible" after using the command "ProcDump". This is because not all the virtual memory addresses are accessible on the image because it may have been, for example, paged to disk. Thus, these messages provide an audit log so that you can determine which parts of the executable generated were successfully retrieved.

Practical examples,to determine the date and time of the image, for example, one can use the following command:
>>> Python volatility datetime -f target-2013-10-10.img
    Image Local date and time: Mon Oct 10 16:20:12 2013
The command pslist, in turn, determines the procedures that were running at the time the image was captured:

 >>> Python volatility pslist -f target-2013-10-10.img
Name Pid PPID THDs HNDs Time
lsass.exe 536 480 20 369 Mon Oct 10 16:22:18 2013
 To determine which system ports were open, one can employ the command "socks". For the system under analysis, it is possible to detect, for example, the process LSASS.exe listening on port 4500.
>>> Python volatility sockets -f target-2013-10-10.img

Forensic Memory for Linux distributions:  

S.M.A.R.T Linux           


Figure 1) S.M.AR.T. Linux.
S.M.A.R.T. Linux is a bootable floppy distribution containing tool (smartmontools) for monitoring IDE/SCSI hard disks (using Self-Monitoring, Analysis and Reporting Technology). Why floppy? Probably because all other distributions containing this useful utility are CD versions [and not everybody has a CD-ROM ;)]. It's going to be free, small, helpful and easy to use. Current version is based on Kernel 2.4.26, uClibc 0.9.24 and BusyBox 1.00 official release. Built on Slackware 10.0. 

The Sleuth Kit and Autopsy:

Autopsy™ and The Sleuth Kit™ are open source digital investigation tools (a.k.a. digital forensic tools) that run on Windows, Linux, OS X, and other Unix systems. They can be used to analyze disk images and perform in-depth analysis of file systems (such as NTFS, FAT, HFS+, Ext3, and UFS) and several volume system types.

CAINE (Computer Aided Investigative Environment)

Figure 4) C.A.I.N.E.
CAINE(Italian GNU/Linux live distribution created as a project of Digital Forensics) offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
The main design objectives that CAINE aims to guarantee are the following:
• An interoperable environment that supports the digital investigator during the four phases of the digital investigation.
• A user friendly graphical interface.
• A semi-automated compilation of the final report.

Below are some tools that can be used for forensic analysis on computers with Mac OS X.

Mac OS X Forensics Imager

Figure 1) Mac OS X Forensics Imager.
Tool for imaging disk byte by byte format Encase or FTK for later forensic analysis in these tools.

Metadata Extractor
Application to extract meta-data files for a specific folder in Mac Displays location on google maps in case there are geo-location information in the file.

File Juicer

Figure 2) File Juicer 1.

 Figure 3) File Juicer 2.

Commercial software that enables the extraction of images and texts from any file. Ignores format, and scans files byte by byte for identifying the data supported. Among other features, there are the following, which find application in forensic analysis:

•    Extract images from PowerPoint presentations and PDFs
•    Recover deleted pictures and videos from memory cards
•    Recover text from corrupt
•    Extract images and html files from the cache of Safari
•    Extract attachments from email archives
•    Generate Word document from simple PDFs
•    Recover photos from iPods in TIFF
•    Convert ZIP files which are in. EXE
•    Extract JPEG images in RAW format (Canon & Nikon)
•    Extracting data from different types of cache file
•    Find and extract file in general data in JPEG, JP2, PNG, GIF, PDF, BMP, WMF, EMF, PICT, TIFF, Flash, Zip, HTML, WAV, MP3, AVI, MOV, MPG, WMV, MP4, AU, AIFF or text.

There are several trends that are revolutionizing the Forensic Memory. The process to do the analysis in memory forensics also walks for a better solution and refinement of the technique, it is an approach increasingly relevant in the context of Computer Forensics. In certain cases the popularity and use of tools for encrypting volumes as TrueCrypt, or creating malware residing only in volatile memory, raise the difficulty of analyzing the data stored in these devices.
However, it is interesting to note that the Forensic Memory is best seen as a complement to other approaches. An example of this is the procedure in which an investigation after the image capture of volatile memory, it uses the "Analysis of Living Systems" as a way to determine the next step in solving the case. Later, in the laboratory, we use the "Memory Forensics" as a complement to traditional forensics, giving greater agility and precision to the process.
I hope my article has helped computational experts and specialists in information security.

About The Author:


  1. Let's say I have the dump from a live system downloaded to a jump drive. If I plug that jump drive into my linux box can I use gdb to deassemble the programs in memory (for purposes of reverse engineering/malware analysis)? Or is that step unnecessary?


Toggle Footer