Forensic Chapter 4 - Memory Forensic
1. Memory Forensic
Unlike traditional forensic analysis that primarily deals with data stored on hard drives (persistent storage), memory forensics targets the information stored in a computer’s RAM, which is lost when the computer is powered off or rebooted. This includes, but is not limited to :
- Running processes
- Open files
- Network connections
- System and user information
at the time the memory was captured.
2. Basic Knowledge about Computer Science
- Chip architecture
| Name | Description |
|---|---|
| North Bridge | The Northbridge typically handles communications among the CPU, in some cases RAM, and PCI Express video cards, and the southbridge. Some northbridges also contain integrated video controllers, also known as a Graphics and Memory Controller Hub (GMCH) in Intel systems. |
| South Bridge | The Southbridge can usually be distinguished from the northbridge by not being directly connected to the CPU. |
- Types of RAM
- SRAM: Static RAM
- DRAM: Dynamic RAM
- VRAM: Vedio RAM
- NVRAM: Non-volatile RAM
- SDRAM: Synchronous DRAM
3. Why Memory Forensic?
Traditional Forensic (Computer Forensic) focuses on:
- Data Recovery
- File Analysis
- Timeline Analysis
- Artifact Analysis
Memory Forensic focuses on:
- Process Analysis
- Malware Detection
- Rootkit Detection
- System State Analysis
4. Memory Image Acquisition
Method :
- Live : While targeted computer is turning on
- Off :
- Hibernation
- Swap Files
- Dump Files
- Local or Remote
Challenges with Memory Forensic
- Structure : Hard to tell the inside structure of a part of memory.
- Volatility : No data will be stored after changing.
5. Usefull tools for Memory Forensic
Free: Belkasoft RAM Capturer, WinPMEM, DumpIT,
VolatilityCommercial: FTK Imager, F-Response
6. Practical Case - Using Volatility
STEPS:
- Find image info (OS version)
- Find suspecious network connections
- Use Malware detection option to check related process