3 hours 41 minutes
Hello, everyone, and welcome to this session on memory forensics.
In this session, we're going thio learn about memory acquisition and memory analysis.
In general, we can perform memory forensics in two main steps. Memory acquisition and memory analysis.
These steps can be added right into our malware analysis. Methodology in the process is similar. So first we want to know a little something about the malware. Then we want to run it in our environment, and this is where things change a little bit.
During memory acquisition, we capture or dump the memory of the system, running the malware using a memory acquisition tool.
The machine, which we are dumping, too, could be a machine on your local network. Or it could be your lab machine.
Then, once we've got a memory dump, we can analyze it. That's the next step. And as the name implies in this step, we analyze the malware and extract malware artifacts.
Then, once we've analyzed the memory, we can accept the results or we can change the environment or continue along with the reporting process.
As we mentioned, Memory Acquisition is acquiring the physical ram on our target machine and dumping it to a disk
and we can use any number of tools, and the process is quite simple.
If you're a fan of the command line, as I am, a tool you might prefer is dump it
dump. It is part of the Komei Memory Tool kit. I like this tool because it's easy to use fast, efficient and free
dump. It comes with a 32 bit in 64 bit version, and you can dump memory in a number of different formats, including Microsoft Crash Dumps.
The default method is crashed dump, so bypassing dump it the slash T flag. We can specify a raw memory dump with raw keyword. Once you run the command and the capture is complete, we can analyze the memory
now. Keep in mind, however, in a live forensic situation that the malicious software may already be running on the machine so you can simply run. Dump it. If you're performing a memory acquisition in your lab, you'll need to make sure that you run the malware and give it a few seconds to finish its execution so that you could take a live snapshot of the memory.
Lastly, if you're performing memory acquisition on a machine that has a large amount of RAM, maybe a server. It also provides you some compression options that will reduce the size of the memory dump and make acquisition faster.
As you could see, the memory acquisition process is pretty simple. I debated showing you how to do this in the lab, but I think because this is a review course, you guys should be able to handle it on your own. So let's go ahead and move on. Toothy memory analysis process