Forensics Process

00:00

Hello, everyone, and welcome to this session on memory forensics.

00:04

In this session, we're going thio learn about memory acquisition and memory analysis.

00:11

In general, we can perform memory forensics in two main steps. Memory acquisition and memory analysis.

00:18

These steps can be added right into our malware analysis. Methodology in the process is similar. So first we want to know a little something about the malware. Then we want to run it in our environment, and this is where things change a little bit.

00:32

During memory acquisition, we capture or dump the memory of the system, running the malware using a memory acquisition tool.

00:39

The machine, which we are dumping, too, could be a machine on your local network. Or it could be your lab machine.

00:45

Then, once we've got a memory dump, we can analyze it. That's the next step. And as the name implies in this step, we analyze the malware and extract malware artifacts.

00:54

Then, once we've analyzed the memory, we can accept the results or we can change the environment or continue along with the reporting process.

01:03

As we mentioned, Memory Acquisition is acquiring the physical ram on our target machine and dumping it to a disk

01:10

and we can use any number of tools, and the process is quite simple.

01:14

If you're a fan of the command line, as I am, a tool you might prefer is dump it

01:19

dump. It is part of the Komei Memory Tool kit. I like this tool because it's easy to use fast, efficient and free

01:26

dump. It comes with a 32 bit in 64 bit version, and you can dump memory in a number of different formats, including Microsoft Crash Dumps.

01:37

The default method is crashed dump, so bypassing dump it the slash T flag. We can specify a raw memory dump with raw keyword. Once you run the command and the capture is complete, we can analyze the memory

01:51

now. Keep in mind, however, in a live forensic situation that the malicious software may already be running on the machine so you can simply run. Dump it. If you're performing a memory acquisition in your lab, you'll need to make sure that you run the malware and give it a few seconds to finish its execution so that you could take a live snapshot of the memory.

02:09

Lastly, if you're performing memory acquisition on a machine that has a large amount of RAM, maybe a server. It also provides you some compression options that will reduce the size of the memory dump and make acquisition faster.