Memory Analysis Explanation

00:00

Hello, My name's David. Welcome to analyzing attacks. That's right.

00:07

Think of yourself as a doctor and patient has shown up.

00:11

But a multitude of different symptoms in you as the doctor have to be able to figure out exactly what's wrong with the patient. You know, incident. Handling an incident response really isn't a lot of different things on the type of activity

00:32

on as one gets older in one's memory begins to Fay.

00:37

Uh, you still go to see doctors, and

00:41

they still attempt to figure out what the problem memory loss, ISS. And when it comes to computers, the memory is there, uh, have put it It's kind of a part of the entire

00:59

portion.

01:00

So if you think of your computer hasn't person you've got a different aspects of it, you've got the now we're decade. You've got hard disk activity, you've got user information. You have

01:15

environmental factors like network connections. Why buy connection blue, too?

01:19

Um, And then you also have Member, which corresponds sort of do human memory on you can see there in a little chalk drawing. Memory

01:34

is a part of your ski, which is true for your computer to part of the great every process, which is true. Come here too responsible.

01:42

Um, all those kinds of things do come in and play with Member. So as we talk about memory announced,

01:49

we can kind of use those analogies. How many years you this process itself. So

01:57

short. Sweet, simple definition. The examination of all they got computers, random access, memory or rain as it's new

02:08

by most people are A M abbreviated as Ram. Everybody talks about radium. Most people that are involved in computers automatically know what Iran is on. How it operates for us. We're gonna take sort of a middle of the road approach.

02:28

So when we talk about bowling style beta,

02:30

we're talking about data that can change quick.

02:34

I think of it as short term member in the human body. So you could be talking about a whole host of things. Browsing history could be stored in the ram. His board contents can be recovered from random passwords network information on a whole bunch more.

02:53

Um,

02:53

ram. It is

02:57

very important, Asai said in Episode one. It's important, but it's also overlook in many incident response scenarios, even in the real world.

03:09

When I worked as a consultant, we would ask us routines. I have questions. If you remember back to the scenario presented you with,

03:17

we would ask of routines have questions, too. That's area with one of our questions be, Can we get a memory lapse?

03:28

And more often than not, the answer would be, Oh,

03:31

well, we already shut the system down.

03:35

That doesn't necessarily preclude you getting a memory catcher, which we'll talk about in the future, but it does hinder getting live

03:45

on live memories. Definitely. We want to go to do your memory analysis. But if you can get a meme file or a hibernation file or something from the system shutdown process, so you could also utilize that as a snapshot in time. What that computer's memory was doing.

04:05

Keep in mind here.

04:06

Yeah, everything. Nearly everything in the operating system

04:12

of an active computer, traverse is across the brain processes threads. Now where

04:20

networks office, your L's I. P addresses

04:25

any hope in vials

04:27

you generated user content. It could be stored in memory until it is safe down. Guest registry information can also be recovered from them on, and

04:39

I kind of want to mention here. Think of this again. Hold mystic. Um

04:45

whereas ram can give you a good snapshot, You also need to be comparing your bindings from your memory analysis with dis forensics

04:54

with now analysis if it's underway with any kind of network forensics and maybe going on, eh? So that you can get a whole list.

05:02

If you come upon a stream in the woods,

05:05

then you just look at stream so

05:09

you don't get a picture of the entire stream or a river. I often I live in a country setting. I grew up in country setting and a big job, but we were growing up was never during from the stream unless you know what was going on a stream

05:30

on. We learned that lesson one time when we were

05:32

waiting and swimming in a river donor.

05:38

And we're just having a good old time being the carefree use that we were on. My father said, Hey, guys, I want youto come over your walk up around the bend and stream and look what? So and so we walk up around the bend with them and there's a herd of cattle,

05:57

the industry,

05:58

uh, doing your business.

06:00

Let your imagination run away with that? Let's just say we weren't as enthusiastic about getting back into the stream after we saw what was going on a beer $100 away from us. So keep that in mind we're talking about memory is part of

06:18

the entire process. And if you're only running off of memory, you're not gonna get.

06:24

You'll get a good Sam Shaw, but you need the other information as well in order to provide you with

06:31

everything.

06:33

The Order of Volatility link down there at the bottom of my E T F gives you the entire breakdown of the order of volatility. I've shortened it for the purpose of this episode because we're focused more on memory than we are on some other day. So I kind of took it in,

06:54

crafted it a bit for us. So we see registers and the cache files. There's air, the most volatile. They can change in a manner of nanoseconds while the system is run.

07:08

Then you drop down in the order of volatility, something that's not quite as pulling down on you've got the routing table. You've got memory, which we're talking about the re in Max's memory that our cash in a lot of other things

07:23

they can change rapidly. A cz long as the systems operator.

07:27

If powers lost in the system where it's shut down, then all of those could be lost as well.

07:34

Drop down even further in the order of volatility had the hardest, which is fair. Staying if the system is shut down, is not gonna change. But if it's running, then there are changes occurring

07:47

to that hard drive that has changed with the advent of the S S d drives. Um,

07:55

they are more bola tile. They and regular hard display, um systems are they can still be imaged and be treated slightly differently and great. We're platter of desks. But our focus is on the members of the random access memory,

08:13

and it is when the system was running it. So it's gonna be changing continually.

08:18

So you need to know this when you're approaching a system that may be infected awards night infected, eh? So that you know which parts of the bullet Kyle memory to grab as quickly as possible.

08:31

Your process for this is the first don't like member

08:37

uh, which is one of our food is here. But I do want you to understand that there's other bowl of how a day that you can capture during the incident response process with the forensic imaging of a run system. Do you bowl without data Would be things like you're our catch. I would be things like your network

08:56

information. It could be running processes using, say, process x four, similar to,

09:03

um, once you have all that information cooled off of a running system,

09:09

analyzing it offline, using tools and we're gonna talk about and then you proceed with your traditional storage forensics out. There are a ton of tools out there available. We don't have time in this model to show you all of them.

09:24

These were just example. Some capture when Ben, uh, Aunt Edie Falco song has something called the live Capture. My personal favorite is FBK imager. Uh, the Indian has red line.

09:39

There are a ton of others are available for you to capture memory, and we will have

09:45

a land where you actually we use that a imager to capture, uh, live memory system. Couple war words for you here at the end. I

09:56

running any captured to wanna live system is gonna change information

10:00

called the locker to principal,

10:03

which basically means any contact leaves a trace. So

10:07

when you're working with a live system, you have to remember that and be able to explain it as well. Now,

10:15

where are some workaround? Use hardware on You can create a hibernation, file it possible, or if it's a virtual machine snapshot at the end and that will create a memory captured four units. You sam.