4.1 Memparser

00:01

Hi. Welcome back to the course In the last month, we were analyzing how to create in much files from different devices on Dr Using the Dorado Birdy de. It is very important that you learn how to create this image is. So if you haven't done it, a recommend looking at the videos in the previous model

00:17

in this mortal, we're going to analyze some forensic memory analysts, tools and techniques you will learn. Why is memory analysis relevant? The pros and cons off some tools and techniques on how to use them in your investigation? We're going to have some labs for youthful world practice on. That's useful.

00:35

We'll be asking you some questions on the way to test, you know, polish

00:40

before starting. Here's a quick pre assessment question for you.

00:43

We're in the computer, decides information such as network connections, common history or information related to executing applications.

00:51

Do you think it's a random access memory or be lookout safety

00:56

or C hard drive? Or maybe the USB drive

01:00

If you say they are correct,

01:03

this information is also known as bullets and information and can get lost if the computer gets on. Looked

01:11

different stories her friends have demonstrated that forensic physical memory analysis has girlie world from basic techniques. So she's through searching to more complex methods

01:21

as computer model words becomes more sophisticated to something. Knicks for memory analysis suffer inadequacies. Even this is essential. Took some tools and techniques for physical memory analysis.

01:33

But in the cylinder behavior limitation of advantage, it's possible down to select the most suitable solution

01:38

to find the little obvious traditional forensic procedures or something. Storage devices such as hard dicks by acquiring an exact sector by sector copy for later analysis.

01:49

Even though this forensics provides five system data social storage files on stop programs, several reasons prevent from solely applying this matter.

02:00

First, they're great time to eat much. A hard disk increases proportionally. Tow her. Discuss Storace capabilities. Those imagine large scale hard disk is not convenient when time is a crucial factor. Secondly, since this game machine requires employees in the system,

02:15

our level of the system is interrupted, which might be expensive and inconvenient for companies

02:22

moral where all of the watertight information so just endure carnation common history or information related to execute an application is lost.

02:30

This information recites in random access memory or RAM

02:35

on it is not possible to access it by means off this currency is therefore, memory for in six becomes the cornerstone to find significant evidence. A differentiation in memory of Phoenician should be noted

02:49

in we lose operating system the Windows Manager Mob spacious in beautiful memory Tau Bay just in physical memory.

02:55

This means that either contemporary recite in visual memory on afterwards be located at a specified address in memory.

03:04

That is, physical memory provides the main stories well built from memory optimizes the use of physical memory.

03:09

This concept are relevant since my work is capable to hide itself with a living, any trace of activity,

03:16

the mechanism they apply directly affected the operating system. In consequence, since operating system is compromised, the mechanism for memory management might be compromised us well

03:28

because off this, it is no longer possible to rely on the information it provides.

03:32

Earlier times to establish memory scanning techniques clearly declared the need for memories coming essential idea is to obtain a reliable information off the system. State running processes right on applications that could be manipulated to produce first data. Therefore, the only solution available is to take snapshots off the memory state

03:52

along with the static memory.

03:54

Do not forget to create an integrity check using nd five soon before starting any analysis or by running it during the execution off D D. That exit.

04:04

We can achieve this with Dede. The following is an example of the same tax it will copy. See Dr Calculate identifies. Check some. I'm very fighter assaulted a march against the check some.

04:18

I recommend looking at the previous model for ruling needy Commons.

04:24

Feel free to post a video to take notes off the common displayed

04:29

before jumping into tools and techniques for memory analysis. We need to analyze memory acquisition Will ever studied how to acquire images we devi but for obtaining physical memory. Did he won't work in most recent version Off Windows Memory Forensics is becoming an essential aspect off digital forensics. On is your response.

04:46

When a system is believed to have been compromised or infected, the misty Esther needs a convenient way to take a memory snapshot off the host. While analyzing memory requires set off skills are crying. Memory is not that difficult. All thanks to the new tools available.

05:03

Don't it make this possible, even if the person in front if ate the computer is not technical.

05:10

One of the major benefit off a bit

05:12

is that it is very easy to use any user with the minister of religious can use it.

05:17

The person needs to simple, double collected armpit executable on allow the tools to room

05:24

dump. It will take

05:26

this snapshot of the host physical memory and save it into the fold. Their word to executable is located

05:31

since number it is a simple tool. It doesn't have any analysis capabilities. Here is where the tools from memory analysis are needed.

05:42

Across dump can be the result off instability on the system internally when across stomach yours, the system status frozen on the content of the physical memory. Our swat A copy to risk.

05:55

The result is a crushed don't file with the contents off the ram on extra work. In information,

06:00

Windows provides a keyword configurable feature to generate don't files. They are put file. Is that the MP format comfortable on Lee with Microsoft tools? This format that's information off Cebu State.

06:16

The advantages of thes is that the file obtained from across stump is a fold less copy off the room

06:23

on disadvantages is that the formal snow specifically for forensic but for the booking purposes.

06:29

Currently, many dumb versions are available. Complete domes are not available there. Too many issues with coffee you're in the future

06:38

Intercourse to reload. The system for the changes to consider on its unity is limited to a specific keep or driver.

06:45

We can access this functionality in the control panel off any Windows computer. Under the system of van settings, it is usually located on the startup on recovery settings.

06:56

There are different techniques from memory analyses, one off the most traditional techniques in memory. Forensics is the search for valuable string, such as password or network grasses, that are relevant for the investigation as the meat advantage we have that it is easy to youth. But the advantages

07:15

are. These techniques, except for the cluster in algorithms, provide information without an oral context. Mostly, it is inferred by an investigator. It is undesirable to apply this technique without a set off prettified keywords. To pursue

07:30

another technique is finding process objects.

07:34

Techniques based on the detection of processes are a reliable source for finding evidence off my work seems a threat, which does not belong to any process. It's more likely to be a suspicious object.

07:46

Domain Drew back relies on the fact that sizes and the valleys off the structure do change between Windows operating systems operations service packs,

07:57

finding objects in natural.

07:59

It is also common technique.

08:01

Object of specific signatures can be used to identify them in memory. The main approach is to scan the pull off signatures to the identified hidden objects.

08:13

We have started the techniques. Now let's take a look at the tools from memory Analysis

08:18

Member, sir. A tool by Chris Bets

08:22

enables examiner to load a physical memory dump or image off a certain window system who construct the process information on except data relating to a specific processes.

08:33

The process environment option may include a full past, the secure A ball and common lying processes.

08:39

It has to display Laura Delis option, which prize at least off dynamic libraries that were associated with the process in question.

08:48

It can save the contents of process memory toe a fire strings on oil. More specific information can also be extracted.

08:58

Volatility is an open source. Man more forensics framework for incident response on my were analysis

09:05

useful for analyzing run into little on 64 bit systems.

09:09

Volatilities smoother design on the fact that it is returning fightin

09:13

alos toe easily support new braking systems on architectures as they are released.

09:20

It supports a malicious for Lennox. We look smack on under systems

09:26

it can analyze. Rodham's Crash Dome's being weird dumps people don'ts of many others.

09:35

Okay, here's a post assessment question for you.

09:37

We surely it's not a technique for memory analysis. Is it a string searching or be finding process Objects or C findings, objects in the chores or the imagine partitions

09:52

he here. The answer is the assimilation partitions, and this is a process that must take place before the analysis.