June 14, 2017 by

The Importance of Memory Forensics

Digital forensics experts who do not use memory forensics are leaving evidence behind. Memory forensics is the examination of volatile data in a computer’s memory dump is known as memory forensics or memory analysis. Volatile data includes the browsing history, clipboard contents, and chat messages present in the short-term memory storage. A memory dump is a capture of data through a random access memory or RAM, which includes the memory that was stored before the system crash. It provides experts with diagnostic information at the time of the crash and contains a code that caused the crash. Through the use of memory forensics, digital forensics analysts have the ability to find buried evidence.

Memory forensics is useful when analyzing criminal activity such as hackers or insider threats. Through the practice of memory forensics, experts are supplied with runtime system activity, such as open network connections or recently executed commands &processes. Before programs are executed on the computer, they are loaded into the memory making the use of memory forensics of high importance. Each program or data which is created, examined, or deleted is stored in the RAM. This includes images, all web-browsing activity, encryption keys, network connections, or injected code fragments. In many instances, certain artifacts can only be found in the RAM, such as open network connections present during the time of the crash. Attackers can develop malware which only resides in the memory, rather than the disk, making it virtually invisible to standard computer forensic methods. This makes the need of memory forensics tools in high demand.

Prior to 2004, generic tools such as strings and grep were used to perform memory forensics, however they were not designed for memory forensics, and therefore it was difficult to use. In 2004, Michael Ford first used the term ‘memory forensics’ and described memory forensics through the use of a rootkit[1]. As attacks have evolved and become more complex, the need for memory forensic tools has increased. The common methods of firewalls and anti-virus tools do not have the ability to detect malware or critical data through the RAM. The best and complex tools have the ability to identify malware, rootkits, and zero days in the RAM. The Volatility Framework is one of the commonly known tools used by the industry experts. It is a Python based, open source collection of tools that allows the examination of volatile data in the computer’s memory dump. This framework offers new techniques and procedures for experts to use when extracting digital data.

Without the use of memory forensics, experts will be unable to collect all the pieces of evidence. It is important for all experts to take training exercises so they don’t leave the important evidence behind. The importance of memory forensics cannot be stressed enough, especially when collecting evidence in an attack and finding the attacker. The examination of volatile data found only in the RAM, offers insight to experts they would otherwise not have.

[1] Rootkit: Collection of software tools used to disguise the presence and activity of other software.

What Are Memory Forensics? A Definition of Memory Forensics‘, Digital Guardian, 2017 

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

APT10 Operation Cloud Hopper Targets MSPs

APT10, a cyber espionage group operating out of China, has been targeting Managed Service Providers...

Read more arrow_forward

The Growing Insider Threat

A security threat originating from within the organization which is targeted or attacked is an...

Read more arrow_forward

The Rise of Polymorphic Malware

Anti-malware programs detect malware through the use of a signature. Most malware is made up of...

Read more arrow_forward