Part 12 - The Forensic Acquisition of Data from a PC
Video Activity
This lab-based lesson covers the forensic acquisition of data from a PC. In this lesson, participants receive step by step instructions in this process using the Forensic Data Access Imager tool. This tool is able to gather the virtual memory from a machine and then it can be loaded onto a forensic thumb drive.
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lab-based lesson covers the forensic acquisition of data from a PC. In this lesson, participants receive step by step instructions in this process using the Forensic Data Access Imager tool. This tool is able to gather the virtual memory from a machine and then it can be loaded onto a forensic thumb drive.
Video Transcription
00:04
>> The next part of this video will cover
00:04
the forensic acquisition of data from a PC,
00:04
and we will go from a powered on-state for the PC,
00:04
and then we will show you how to go about that process.
00:04
From here, we can go back
00:04
to our access data forensic integer.
00:04
We'll just close out of this
00:04
and we'll go back into it again.
00:04
From here, the nifty thing about the FTK Imager,
00:04
compared to the EnCase Forensic Imager,
00:04
is that the FTK Imager has the ability to
00:04
gather the virtual memory from a machine.
00:04
If you were to take this and put it
00:04
onto your forensic thumb drive,
00:04
you could actually run
00:04
FTK Imager from your forensic thumb drive and
00:04
then gather the volatile memory
00:04
>> from your victim machine.
00:04
>> From here, we'll go to the File menu,
00:04
and we can scroll down to
00:04
the icon that says Capture Memory.
00:04
Then we're going to browse to the destination path.
00:04
We're going to again put this on
00:04
our forensic thumb drive and click "Okay".
00:04
I'm running this program from my desktop.
00:04
However, you should be running this program from
00:04
your thumb drive to
00:04
ensure you're using forensically sound principles.
00:04
That we'll click Okay.
00:04
Then it's going to ask us to name the file.
00:04
We can name it,
00:04
my computer is EnolaGay.
00:04
We'll call it EnolaGay.mem.
00:04
It's going to ask you if you want to create an 81 file,
00:04
that's specifically for use for access data.
00:04
We don't need any of that,
00:04
so we can just click on the capture memory,
00:04
and it's going to start capturing the memory.
00:04
As you can see, I have 35 gigabytes
00:04
of volatile memory running in my RAM,
00:04
and it will go through that process of
00:04
collecting all of the volatile memory.
00:04
I will save you guys the wait time.
00:04
I'll click "Pause" and we'll come
00:04
back when this is finished.
00:04
We're back now, and we can see that
00:04
the memory capture process has finished.
00:04
It has sent the file to the E Drive,
00:04
EnolaGay.mem, and memory capture finished successfully.
00:04
If we go to the E Drive,
00:04
we can see that it also now contains
00:04
the EnolaGay.mem file,
00:04
and it provides the size of that file.
00:04
That took roughly an hour and a half or so.
00:04
Obviously, if time is of the essence and you have
00:04
a computer that does have a very large cache of RAM,
00:04
just be cognizant that it could
00:04
take quite a bit of time to get that.
00:04
If the case has been ongoing for
00:04
quite some time and the incident is relatively old,
00:04
it may not be in your best interests
00:04
>> to do a memory dump.
00:04
>> However, if you are
00:04
interested in some of the running processes and
00:04
things that can only be captured
00:04
>> in the volatile memory,
00:04
>> then that is something that you
00:04
should definitely consider doing.
00:04
Of course, there are other ways to
00:04
obtain the volatile memory from a system.
00:04
There are programs such as [inaudible] ,
00:04
that combined analysis and data capture into one tool.
00:04
I'll show you an example of
00:04
that here in a couple minutes.
00:04
Also, you could use a list of
00:04
trusted tools from either a CD
00:04
or a USB on the victim machine,
00:04
and run a series of
00:04
commands from the command line that get you
00:04
similar information as running the memory dump would.
00:04
I'll demonstrate that here in a second for you.
00:04
As I was saying, the other thing
00:04
that we could do is we could
00:04
load our own trusted tools into the system,
00:04
and we would be able to run similar commands from
00:04
that trusted tool lists
00:04
that we have on the victim machine.
00:04
What I've done is I've went ahead and I've
00:04
inserted my trusted tools into the computer system.
00:04
I have just to just scroll down and find it.
00:04
I did is listed as the H Drive.
00:04
As you can see, this is
00:04
a removable drive and it has quite a bit of programs on
00:04
it that I might want to
00:04
use in my forensic examination of a system.
00:04
As you can see, I've got my MD5 program on there,
00:04
I have a program that actually came with thumb drives,
00:04
the SanDisk for secure access.
00:04
I have my trusted toolkit,
00:04
the actual presentation that I'm working on now.
00:04
I also have DumpIt,
00:04
which will perform pretty much
00:04
the same process that the FTK Imager did.
00:04
By clicking on DumpIt,
00:04
you get a pop-up that asks if
00:04
>> we want to allow the device to make changes.
00:04
>> When you click on the DumpIt,
00:04
it will actually create a raw file of
00:04
the volatile memory onto our removable thumb drive.
00:04
That is another methodology that you could use.
00:04
Then as stated,
00:04
we have the EnCase Imager that
00:04
we can use on our victim machine.
00:04
Then we also have some RAM capture tools
00:04
that are also available for our use.
00:04
Thus, I've talked about trusted tools.
00:04
What the trusted tools are essentially,
00:04
the command-line programs
00:04
>> that you might be interested in
00:04
>> running on a victim machine.
00:04
You would never want to rely on
00:04
the machine to use the programs that it has
00:04
negatively installed because you don't
00:04
know where those programs came from.
00:04
You don't know if they've been altered
00:04
or even if they might be present on the system.
00:04
This list here has a lot of
00:04
the command-line programs that you would want to use,
00:04
including our MD5 files,
00:04
or some hash files,
00:04
the echo commands, disk maps,
00:04
we scroll down through here.
00:04
The Ps.exe, PsInfo, PSLess, PsLoggedOn.
00:04
All of these commands would be very
00:04
valuable and useful for you to use on a system.
00:04
Specialty did not want to wait around
00:04
to capture that volatile memory.
Up Next
Similar Content
