RAM is a vital source of digital evidence that, historically, has been neglected and ignored. As our knowledge of digital evidence grew, examiners began to realize the source of potential digital evidence that existed in RAM. Ultimately, you have an additional multi-gigabyte source of information that needs to be examined and may contain digital artifacts that do not exist in the traditional locations of the system.
In this chapter, we will cover the fundamentals of memory. We will then look at the different sources of memory and learn to capture RAM using RAM capture tools. By the end of this chapter, you will be able to understand the various methods and tools that can process volatile memory.
We'll be covering the following topics in this chapter:
What information does random access memory (RAM) contain? It will give you the information about the current running state of the system before you shut it down. It will contain information about any running programs; these could be legitimate processes, and it could contain running malware processes as well. If attackers have compromised the host, the malware may be a resident in the RAM.
You will also find information related to network connections the host has with other peers. This could be a legitimate use of peer-to-peer file sharing, or it could show a link to the attacker's host. These connections are breadcrumbs for you to follow if you are investigating a network intrusion or suspect someone may have compromised the host. The user could also be sharing illicit images, and the connection to other computers will give you leads for you to follow and to investigate additional users for the same crime.
If the user is using cloud services, we may never find the data they are creating on the physical disk in the system. We may only see the evidence of the data being hosted in the cloud in the form of RAM.
RAM is the kitchen table of the computer system. Any action the user/system takes within the system will access the RAM. Every mouse click and every keyboard button that's pushed will be processed through the RAM, and you can recover entire files, passwords, and the text that was placed into the clipboard. All of these are potential sources of digital evidence. Sometimes, you can recover the encryption keys for closed encrypted containers that have been created by the user.
In 2004, Rajib K. Mitra was convicted of jamming police radios. The investigation resulted in the seizure of multiple pieces of digital evidence. The lead detective, Cindy Murphy, learned in 2009 that it was possible to recover encryption keys that may have existed only in RAM. Detective Murphy was able to go back and reexamine the evidence and was able to identify the encryption keys Mitra had used to secure his encrypted container. When Detective Murphy opened the encrypted container, she found many illicit images, which led to Mitra being convicted of the possession of the images.
How is analyzing RAM different from analyzing a hard drive? RAM is a snapshot of a live running system, whereas a hard drive examination is static. We have shut the system down, and we are examining data on the physical device. RAM is much more transient, and if you were to take a forensic image of RAM at two different points of time, you will get different results. Capturing the data in RAM will lead to the loss of potential evidence. You are changing evidence when you collect RAM.
So, let's talk about what RAM is.
RAM is used to temporarily store working data/code on an active computer system. Unlike on traditional storage devices, that is, a hard drive, data can be read/written on RAM at extremely fast speeds. Current technology allows the RAM chips to be created around an integrated circuit chip with metal oxide semiconductor cells. The data stored within the RAM chips is considered to be volatile. We lose volatile data when the computer system is no longer powered on. This is a significant reason the pull the plug tactic when responding to a scene involving activated computer systems is no longer recommended.
You may run into two different types of RAM: static RAM (SRAM) and dynamic RAM (DRAM). SRAM is considered faster and more efficient with respect to energy use, whereas DRAM is cheaper to produce than SRAM. You will typically find SRAM being used as cache memory for the CPU, and DRAM chips being used for memory chips for the computer system.
The following is a representation of a DRAM chip you may come across in your investigations:
Do not confuse RAM with read-only memory (ROM). ROM permanently stores data within the memory chips and is not volatile.
Consider the following: a 32-bit Microsoft Windows-based computer system has a limitation of 4 GB of RAM, while a 64-bit Microsoft Windows-based computer system has a limitation of 128 GB of RAM. That is a considerable amount of potential evidence that, historically, has not been analyzed.
For the CPU to access the data/execute code being stored in the memory chips, there must be a unique location identifier to that data; that is, an address. When we start examining raw memory dumps, we will be dealing with the physical address, which is an offset of the memory dump.
Data stored in RAM is stored in pages that are 4 kilobytes in size, and as the system processes add/read data to the pages in RAM, they are utilizing virtual addressing.
All the operating systems access RAM in the same general manner. Let's talk about some concepts that are common to an operating system:
The contents of RAM may include artifacts of what is or has occurred on the system. This can include the following:
As you can tell, the potential to acquire significant evidence is enhanced with the collection of RAM. Where do we find data that is stored in RAM? There are several different sources, all of which we will discuss next.
What happens if you are not the investigator on the scene when the digital evidence is collected in the RAM, and they do not collect volatile data? Is it possible to still access the RAM, despite having the system shut down? While you cannot analyze the RAM, it is possible to examine other sources may contain the same data that was stored in the RAM. This option may not always be viable, depending on the specific set of circumstances surrounding the seizure of the digital evidence.
You need to know that there are potential additional sources that will contain the same or similar data that was in RAM. They are as follows:
Note
If you are examining a laptop, hibernation is usually initiated by closing the laptop. In a desktop, this will be user-initiated. The file header for the hiberfill.sys file can be hibr, HIBR, wake, or WAKE. When the system is repowered, the header of the file is zeroed out. The hiberfill.sys file is a compressed file and will have to be decompressed before you can analyze it.
When analyzing the hiberfill.sys file, the last modification date/timestamp will show when the contents of RAM was added to the file.
Note
Another option if you are on scene and cannot do a live capture of the RAM can be to place the system into hibernation, which will then create the hiberfill.sys file where the current state of the system is saved.
Note
In the Windows operating system, the paging file, pagefile.sys, is stored at the root of the operating system volume. Be aware that the user can change this location. Typically, the page file can be one to three times larger than the amount of physical memory on the system.
Depending on the settings, you may get one of the following:
The SYSTEM hive will contain the key to determine which memory dumps may exist on the system you are examining. The key you'll want to explore is as follows:
SYSTEMCurrentControlSetControlCrashControlCrashDumpEnable
The dump files will be in a proprietary format and will need a third-party tool to convert them (available at https://www.comae.com). So far, we have discussed the locations that will provide sources of RAM. Ultimately, you will want to capture the data within the RAM chips, which is our next topic.
When the decision is made to capture the RAM from the system, several factors need to be considered before moving forward. The most significant issue is that you will be changing the state of the system when you collect the volatile data.
The Scientific Workgroup on Digital Evidence (SWGDE) has explored the collection of volatile data and offers the following considerations:
There is the potential that the collection of RAM may cause a system lockup or instability in the system. The digital forensic investigator must be aware of how the tool being used may affect different operating systems.
After calculating the risk versus the reward, you have decided to go forward and collect the contents of the RAM. What do you need to accomplish this task? You have to decide which tool works best in the environment that you will create the memory dump from. One consideration regarding your tool selection will be how big of a footprint the tool will leave on the system.
To successfully image the RAM, you will need three things:
Note
Remember that the amount of RAM installed on the system will dictate the size of your external storage device. If the system has 16 GB of RAM, your external storage device will need to be greater than 16 GB. The memory dump will be the same size as the amount of installed RAM.
You will want to prepare your external storage device before responding to the scene. Your device should be formatted as an NTFS partition. This will alleviate any file size issues you might encounter if the device were formatted in FAT 32.
We will now discuss some tools you can use to create a raw forensic image of the RAM.
I am going to briefly discuss some tools that you can use to capture RAM. There are additional commercial and open source tools available. We could write an entire book (and there are some) about some tools that are used for memory forensics. The goal here is to give you an overview and the skills necessary to accomplish a successful memory dump, but be aware that you can go into much greater detail than I will go into in this chapter.
The following tools are all open source and freely available.
DumpIt (available at https://www.comae.com) was originally developed by MoonSols. Comae now maintains the project. It is a combination of Win32dd and Win64dd in one executable. No options are asked of the end user. This tool is fast, small, and portable. It leaves the least significant form of footprint on the RAM.
DumpIt is the simplest of all the tools to use. Once you have created your external device and have responded to the scene, you need to follow these steps:
DumpIt is not the only tool available. There are additional open source alternatives, such as FTK Imager, which we will discuss next.
FTK Imager Lite (available at http://accessdata.com) is a GUI-based utility that allows a user to dump the memory of a computer system running either a Windows 32-bit or 64-bit operating system. This tool is easy to use and deployable on a thumb drive. This tool also allows us to mount binary dump files for viewing. Since it is GUI-based, it leaves a significant footprint on the RAM.
FTK Imager is also relatively easy to use. Remember that it is GUI-based, so as you launch the executable from your external storage device, it will overwrite more data in memory than a CLI-based tool.
Once you have responded to the scene, you will need to do the following:
However, ensure that you select your external storage device.
No matter which tool you used to collect the memory, once you have collected it, you need to get a hash value of the file you just created. You do not want to use the suspect system because any commands you issue will change the state of the evidence. You will want to use your forensic laptop or your forensic workstation at your laboratory to generate the hash value.
Now that you have created a memory dump of the RAM, what tools will you use to analyze it? Let's talk about some tools that can be used to analyze RAM.
Just like when we analyze forensic images created from traditional storage devices, you have the choice of open source or commercial software. It comes down to the examiner's preferences (and sometimes budget) on what tool they wish to use to analyze the dataset. We will go over some available tools, but this is not an all-inclusive list. Most commercial tools will analyze a memory file; we will discuss some open source options that are available here:
We will discuss the use of some of these open source options.
Bulk Extractor scans the target media (disk image, file, or directory) and extracts what it believes to be useful information. It ignores the filesystem structure, which allows it to process different parts of the source data set in parallel. This makes it very fast compared to traditional forensic tools. As Bulk Extractor finds data it believes to be relevant, it creates a histogram of the artifacts.
Let's take a look at how it works:
It will then present you with the Run bulk_extractor menu.
You can check or uncheck a given specific artifact search as your needs dictate.
On the left-hand side, we can see the specific artifacts that were recovered by the tool. In the preceding screenshot, I selected the email_histogram.txt file, which gives us a list of times it found a particular email address. By looking at the histogram window, I can see that it found the jcloudy1 email address over 8,000 times. As you go through the email list, you may find emails of evidentiary interest for you to follow up while using traditional media.
Bulk Extractor is a quick and efficient tool that's used to extract data strings that you can use to follow up with your investigation. The next tool we will discuss is Volix II.
Using Volix II
Volix is a GUI frontend for the Volatility framework. It makes it a bit easier for those who are not comfortable using the command-line interface (CLI). Once the program has been downloaded and you have started it for the first time, it will present you with the following screen:
Then, you will be pointed to the location of the Volatility framework. You can use either the standalone executable or the binary files to run the Python scripts. Here, I have already downloaded the standalone executable and have pointed Volix to it.
The other options you can select include the language you wish to use Volix in. If you have a Virus Total API key, you can insert it in on that page. This will compare the data captured from RAM and see if it matches any malware being tracked by Virus Total.
You also have the option of pointing Volix to the John the Ripper executable. If you want to decode/decrypt potential passwords that may be stored in RAM, follow these steps:
From the preceding screenshot, you can see I have selected getsids. In the center screen, it has pulled out the SIDs that were in memory at the time of collection.
How many artifacts you ask it to search for at once will dictate the length of time for the application to complete. Overall, it is a relatively quick search compared to other tools.
In this chapter, you learned about the cornucopia of artifacts you can recover from RAM. You learned about the different tools you can use for the collection process and the tools you can use for analysis. Remember that the tools are always changing with the technology and as new operating systems are released, your primary tool may not collect RAM. Always have a backup plan in case something like that occurs.
You now have the skills to identify and capture RAM in a manner that conforms to best practices. As you analyze the RAM you have captured, you may find artifacts showing the user's activity on the system, such as social media artifacts and recovering passwords or encryption keys.
You may even find information relating to the user's use of email, which will lead us into our next chapter, which is all about email forensics.
a. Physical memory
b. Pagefile.mem
c. Swap file.page
d. ROM
a. Page file.sys
b. Swap file.sys
c. Hiberfill.sys
d. Hibernation.sys
a. Every hour
b. Every week
c. Every digital forensic investigation
d. When you deem it important
a. 1
b. 2
c. 3
d. 4
a. True
b. False
a. True
b. False
a. DumpIt
b. FTK Imager
c. Volatility
d. MD5 hash
Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linu. John Wiley & Sons. (Available at https://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098.)
3.145.63.136