Time
7 hours 26 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lab-based lesson covers the forensic acquisition of data from a PC. In this lesson, participants receive step by step instructions in this process using the Forensic Data Access Imager tool. This tool is able to gather the virtual memory from a machine and then it can be loaded onto a forensic thumb drive.

Video Transcription

00:04
So, uh, the next part of this video will cover the forensic acquisition of data from a PC, and we will go from a powered on state for the PC, and then we will show you how to go about that process.
00:24
So from here,
00:26
we can go back to our access data Forensic imager. Just close out of this. Go back into it again.
00:36
So from here,
00:37
uh, the nifty thing about the F t k imager compared to the in case forensic imager
00:46
is that the F T K imager has the ability
00:50
to gather
00:51
the virtual memory from a machine. So if you were to take this and
00:57
put it onto your
00:59
ah forensic thumb drive, you could actually run f t k imager from your forensic,
01:07
some drive and then
01:10
gather the the volatile memory
01:14
from from your victim machine.
01:17
So from here,
01:19
we'll go to the file menu
01:22
and weaken scroll down to the
01:25
icon that says, Capture memory,
01:29
and then we're going to browse to the destination path.
01:34
So we're going to again put this on our forensic thumb drive
01:41
and click. OK,
01:42
I'm running this program for my desktop. However, you should be running this program from your thumb drive
01:49
to ensure you're using forensically sound principles.
01:57
But we'll click. Okay,
01:59
and then it's going to ask us to name the file
02:02
so we can name it. My computers know what ***,
02:12
so we'll call it No legate dot mem.
02:16
And then it's going to ask you if you want to create an 81 file that specifically for use for access data, we don't need any of that. So we could just click on the capture memory, and it's going to start capturing the member.
02:34
And as you can see, I have 35 gigabytes
02:38
of bottle. It'll memory
02:42
running in my ram, and it will go through the process of collecting
02:46
all of the volatile memory. So I will save you guys the wait time
02:53
and I'll click. Pause and we'll come back when this is finished.
02:59
Okay, so we're back now and we can see that the memory
03:02
capture process has finished.
03:05
It has sent the file to the e. Dr Enola *** dot meme and memory capture finished successfully.
03:15
So if we go to the drive,
03:17
we can see that it also now contains the Enola *** dot Mm file,
03:24
and it provides
03:27
the size of that file
03:29
that took roughly
03:30
on hour and 1/2 or so. So
03:35
obviously, if time is of the essence and you have a computer that does have a very large
03:43
cache of ram, just be cognisant that it could take quite a bit of time to get that.
03:50
So
03:51
if the case has been ongoing for quite some time and the incident is relatively, oh, it may not be in your best interest to do a memory dump.
04:01
However, if you are interested in some of the running processes and thinks it can only be captured in the volatile memory thing, that is something that you should definitely consider doing.
04:15
And, of course, there are other ways to obtain wth e volatile memory from a system. There are programs such as Mandy. It's Red Line that combine analysis and data capture into one tool,
04:32
and I'll show you an example of that here in a couple of minutes.
04:38
Also,
04:40
you could
04:41
used a list of trusted tools from either a CD
04:47
or a USB on the victim machine
04:49
and run a series of commands
04:53
from the command line that give you similar information a CZ running the memory dump would on Aiken. I'll demonstrate that here in a second for you.
05:05
So, as I was saying, the other thing that we could do is we could load our own trusted tools into the system,
05:12
and, uh,
05:13
we would be able to run similar commands.
05:17
Uh, from that,
05:20
um,
05:23
trusted to less that we have on the
05:27
victim machine. So what I've done is that what ahead? And I've inserted,
05:30
uh, my trusted tools into the computer system and just roll down and find it
05:39
on this list is the H drive.
05:42
So, as you can see, this is a removable drive, and it has quite a bit of programs on it.
05:47
Uh, that I might want to use in my forensic examination of a system.
05:55
So if you can see, I've got my MP five program on there. Have
06:00
program that actually came with the thumb drives the sand, this secure access. I have my trusted tool kit,
06:08
the the actual presentation, and I'm working on now.
06:11
I also have dump it, which will perform pretty much the same process that the F T K imager did by clicking on dump It
06:23
get a pop up
06:26
that, uh,
06:28
ask if we want to allow the device to make changes. And when you click on the dump, it it will actually create a raw file of the volatile memory onto our removable thumb drive.
06:45
So that is another
06:46
methodology that you could use
06:50
and then s stated we have the in case imager
06:56
that we could use
06:59
on our victim machine, and then we also have some RAM captured tools that are also available for use.
07:05
But, uh, in this I've talked about trusted tools, and what the trusted tools are
07:12
are essentially the command line programs that you might be interested in running
07:16
on a victim machine.
07:19
You would never want to rely on the machine to use the programs that it has negatively installed
07:27
because you don't know where those programs came from. You don't know if they've been altered our even if they might be present on the system.
07:34
Eso This list here
07:39
has a lot of the command line programs that you would want to use, including our MD five files
07:48
are some pash files.
07:50
Um,
07:51
the echo commands this maps are scroll down through here.
07:59
The P s e x c
08:01
P s info ps last P s law gone. So all of these commands would be very valuable and useful for you to use on a system special. If you did not want to write, wait around to capture that volatile memory.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor