Digital forensics experts starting using heavily memory forensics tools to enrich evidence from collected compromised system. Memory forensics is the examination of volatile data in a computer’s memory dump is known as memory forensics or memory analysis. Volatile data includes the browsing history, clipboard contents, and chat messages present in the short-term memory storage. A memory dump is a capture of data through a random access memory or RAM, which includes the memory that was stored before the system crash. It provides experts with diagnostic information at the time of the crash and contains a code that caused the crash. Through the use of memory forensics, digital forensics analysts have the ability to find buried evidence.
Memory forensics is useful when analyzing criminal activity such as hackers or insider threats. Through the practice of memory forensics, experts are supplied with runtime system activity, such as open network connections or recently executed commands &processes. Before programs are executed on the computer, they are loaded into the memory making the use of memory forensics of high importance. Each program or data which is created, examined, or deleted is stored in the RAM. This includes images, all web-browsing activity, encryption keys, network connections, or injected code fragments. In many instances, certain artifacts can only be found in the RAM, such as open network connections present during the time of the crash. Attackers can develop malware which only resides in the memory, rather than the disk, making it virtually invisible to standard computer forensic methods. This makes the need of memory forensics tools in high demand.
Prior to 2004, generic memor y forensics tools such as strings and grep were used to perform memory forensics, however they were not designed for memory forensics, and therefore it was difficult to use. In 2004, Michael Ford first used the term ‘memory forensics’ and described memory forensics through the use of a rootkit[1]. As attacks have evolved and become more complex, the need for memory forensic tools has increased. The common methods of firewalls and anti-virus tools do not have the ability to detect malware or critical data through the RAM. The best and complex tools have the ability to identify malware, rootkits, and zero days in the RAM. The Volatility Framework is one of the commonly known tools used by the industry experts. It is a Python based, open source collection of tools that allows the examination of volatile data in the computer’s memory dump. This framework offers new techniques and procedures for experts to use when extracting digital data.
Without the use of memory forensics, experts will be unable to collect all the pieces of evidence. It is important for all experts to take training exercises so they don’t leave the important evidence behind. The importance of memory forensics cannot be stressed enough, especially when collecting evidence in an attack and finding the attacker. The examination of volatile data found only in the RAM, offers insight to experts they would otherwise not have. Many open source projects include memory forensics tools.
[1] Rootkit: Collection of software tools used to disguise the presence and activity of other software.
References:
‘What Are Memory Forensics? A Definition of Memory Forensics‘, Digital Guardian, 2017
