Analyzing System Memory

For a long time, law enforcement and other organizations performing digital forensic tasks associated with incident investigations often relied on methodologies that focused on evidence contained within the hard drive of a machine. Procedures dictated that the system should be powered down and the hard drive removed for imaging. While this methodology and the associated procedures were effective at ensuring the integrity of the evidence, this overlooked the wealth of information that was contained within the Random Access Memory (RAM), or memory for short, of the targeted system. As a result, incident response analysts began to focus a great deal of attention on ensuring that appropriate methods were employed that maintained the integrity of this evidence, as well as giving them a platform from which to obtain information of evidentiary value.

This chapter will focus on the types of evidence that can be located within the memory of a system, the tools and techniques available to incident response analysts, and, finally, how to analyze this information to obtain a clear understanding of how the system was compromised. In addition, these techniques can also be integrated into the analysis of other evidence, such as network log files and files located on the targeted system.

In this chapter, these main topic areas will be addressed:

  • Memory analysis overview: This section addresses the critical data points that can be discovered through proper memory analysis.
  • Memory analysis methodology: A structured approach is important to ensure that responders are able to extract the necessary data.
  • Memory analysis with Redline: The first tool that will be reviewed is Mandiant Redline, a GUI-based tool that allows responders to examine memory captures.
  • Memory analysis with Volatility: Often thought of as the gold standard of memory analysis, this command-line tool has extensive features for data acquisition and analysis.
  • Memory analysis with Strings: A simple but effective tool that affords responders the ability to cull data from those areas of memory that other tools may miss.

At the end of this chapter, the reader will have both an understanding of the methodology and the tools necessary for finding data points, analyzing them, and extracting other evidence for follow-up analysis.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.223.0.53