Part 8 - Volatile Memory Capture

Video Activity

This lesson covers volatile memory capture. There are numerous programs to accomplish this; some of the well-known ones are: · FTK Imager · DumpIT · Mandiant Redline The best practice is to use removable media with installed software, which captures virtual memory while not adding files which causes valuable data to be overwritten. After the data i...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson covers volatile memory capture. There are numerous programs to accomplish this; some of the well-known ones are: · FTK Imager · DumpIT · Mandiant Redline The best practice is to use removable media with installed software, which captures virtual memory while not adding files which causes valuable data to be overwritten. After the data is collected; the following takes place: · Disk encryption · Forensic imagining · Volatile memory analysis · Analysis of data Reporting

Video Transcription
00:03
>> Moving on from our trusted tools
00:03
after we have our toolkit gathered up,
00:03
we can use other programs
00:03
essentially to capture volatile memory.
00:03
The trusted toolkit will help us gather
00:03
information about that system,
00:03
that command prompt level.
00:03
But if we want to automate this process or capture
00:03
the entire volatile memory,
00:03
we can use FTK imager,
00:03
we can use a DumpIT, or we can use Mandiant Redline.
00:03
With any of those programs that will
00:03
essentially grab all of that volatile memory,
00:03
all of that ramp, and then put that out to
00:03
a file system where you can analyze that.
00:03
We'll go over that in-depth
00:03
in the handling portion as well.
00:03
Remember though the best practice in capturing
00:03
this volatile memory is to use removable media with
00:03
installed software to avoid adding
00:03
files to the system that can overwrite data.
00:03
Then the Disk Encryption process after you've
00:03
collected the volatile data,
00:03
if you believe that the system
00:03
>> may have BitLocker on it,
00:03
>> which if your system is
00:03
>> running Microsoft Windows Vista or later editions,
00:03
>> then it is highly likely that at least
00:03
has the ability to have BitLocker on it.
00:03
If you're not familiar with
00:03
what type of operating system that you've discovered,
00:03
you can open up a command prompt from
00:03
your trusted toolkit and type in Winver,
00:03
and that will give you the operating system.
00:03
If you believe that the system does have BitLocker,
00:03
you can type in the following command
00:03
of the manage-bde.exe -status.
00:03
That will show you BitLocker isn't able on the system.
00:03
If BitLocker is enabled,
00:03
you can type in the preceding command of the
00:03
manage-bde.exe -protectors -get.
00:03
That will provide you the recovery password.
00:03
Then once you get that recovery password,
00:03
you're going to want to save that to
00:03
some type of Notepad document onto
00:03
your forensically wiped thumb drive or hard drive.
00:03
That way you will have those encryption keys.
00:03
You can go ahead and get
00:03
that physical image of
00:03
the device and that you'll be able
00:03
to get into it and it will be useful.
00:03
The next step is going to be creating
00:03
the physical image of your system's hard drive.
00:03
There are both software and hardware
00:03
imaging tools and imaging allows investigator,
00:03
again, to work with that exact copy of
00:03
the evidence without altering the original.
00:03
Any type of media that you find seeing via
00:03
a thumb drive or a computer system,
00:03
you can and should get a forensic image of those.
00:03
Then in our hands-on portion,
00:03
we will demonstrate how to collect
00:03
the physical image of the USB thumb drive.
00:03
Then guided software produces
00:03
some very high-quality hardware imaging devices where
00:03
you do not need
00:03
an operating system or a computer to collect an image,
00:03
you can simply attach whatever device
00:03
you have and hit a button and it will
00:03
send a bit for bit copy of the data on that system to
00:03
your forensically wiped storage media.
00:03
FTK Imager is also
00:03
a great software imager and it can be downloaded
00:03
free from the access data website.
00:03
We're going to cover both the FTK Imager and
00:03
the Encase forensic imager in the hands-on portion.
00:03
Moving on from the imaging,
00:03
we can then go to look at some of
00:03
the analysis of the data.
00:03
There are several programs that can assist you and
00:03
the investigator in analyzing volatile memory.
00:03
Some of the most popular programs
00:03
for analyzing that data include
00:03
the program of volatility
00:03
>> and then the Mandiant Redline.
00:03
>> The cool thing about red line is that it is actually
00:03
an acquisition program and analysis program and one.
00:03
We'll cover the Redline program a little bit in
00:03
our hands-on portion and explore some of
00:03
the functionality of Redline.
00:03
However, after we captured
00:03
our data and we have it on our forensic device,
00:03
the next thing to do is analyze the data.
00:03
Once you have the data, what do you do with it?
00:03
Investigators need to examine the data for evidence or
00:03
indicators of activity that
00:03
they believe may have happened.
00:03
Depending on your case,
00:03
you're going to want to start
00:03
searching through various portions of
00:03
your data to help
00:03
determine or rule out that activity occurred.
00:03
However, before beginning to do this search,
00:03
you're going to want to have an idea
00:03
>> of what you're looking for
00:03
>> and where it may be stored within that data.
00:03
>> Again, if you're imaging a two-terabyte hard drive
00:03
or you have numerous hard drives,
00:03
searching through those images
00:03
could be time-consuming and cumbersome.
00:03
Having an idea of what to look for and
00:03
where to look for is very important.
00:03
Also, there are numerous forensic analysis programs
00:03
that can help you to examine some of that data.
00:03
FTK, Encase, OSForensics, Autopsy.
00:03
Those are some good programs that you can use.
00:03
There are others out there.
00:03
You could just Google them.
00:03
Again, don't get married to just
00:03
using one type of analysis program.
00:03
It's good to know several of these,
00:03
just because the user interfaces of them are different.
00:03
Some of them provide different outputs
00:03
and make the data easier to digest.
00:03
Keep at least two of these in your toolkit for use.
00:03
For what we're going to talk about
00:03
in the hands-on portion,
00:03
we're going to use Autopsy.
00:03
An Autopsy is a powerful free tool
00:03
>> for forensic investigators.
00:03
>> Then we'll go into a little bit of how to
00:03
use autopsy in that hands-on portion.
00:03
Then lastly, after we have
00:03
conducted the analysis portion week,
00:03
we're going to get into the reporting portion.
00:03
The reporting portion,
00:03
there is essentially going to be two types of reports.
00:03
It's going to be your technical report,
00:03
which details every [inaudible] that you
00:03
have in a very high level text
00:03
speak that other forensic investigators
00:03
and technically savvy people are
00:03
going to be able to understand.
00:03
The other type of report that you're going to have
00:03
is going to be your investigative report.
00:03
That's going to be something that
00:03
a non-technical person can understand.
00:03
A very cursory repetition of the who,
00:03
what, when, where, why, and how.
00:03
With each of those reports though,
00:03
you should begin with a brief executive summary.
00:03
Bottom line upfront.
00:03
This is what happened. This is what I found.
00:03
>> Everything in your report should be
00:03
>> listed in a series and/or a timeline
00:03
>> in some type of logical order.
00:03
>> If you're investigating, for instance,
00:03
malicious insider threat,
00:03
Mr. Smith budge in at the building at 7:05.
00:03
I was able to determine Mr. Smith
00:03
log into his system at this time.
00:03
Mr. Smith conducted this activity at this time.
00:03
He then did this at this time.
00:03
He budged out of the building at this time.
00:03
All of that timeline helps to, one,
00:03
make it easy for the reader to understand but it
00:03
also helps to tie your suspect or
00:03
your event to that particular computer
00:03
that you have been investigating.
00:03
That timeline, again, it's very important.
00:03
Then your technical reports should include
00:03
all the software and
00:03
the versions found on the victim machine.
00:03
It should also include all the
00:03
>> software and systems that
00:03
>> were used by the investigator
00:03
>> during your investigation.
00:03
>> If you use Microsoft Word to take notes
00:03
or if use Encase to
00:03
do your investigation and they
00:03
use FTK Imager to take an image of something,
00:03
all of those things should
00:03
be listed in that technical report.
00:03
Then lastly, in that report,
00:03
you want to stick with the facts.
00:03
A repetition of Joe Friday,
00:03
just the facts, ma'am.
00:03
No conjectures in your investigative report.
00:03
Your job as a forensic investigator is to
00:03
essentially stick with those facts
00:03
and just the facts and then the lawyers,
00:03
the attorneys, the administrators,
00:03
they can come up with whatever
00:03
>> conjecture that they want.
00:03
>> This will conclude the more or less
00:03
the lecture portion of
00:03
forensics and support of incident response.
00:03
We covered a lot of material.
00:03
In this lecture,
00:03
we covered the preparation phase of how to
00:03
get ready to respond to that incident.
00:03
We talked about how to sanitize and wipe our media.
00:03
We've talked about what items should be
00:03
listed and included in our toolkit.
00:03
We talked about note-taking.
00:03
Then we talked about the preservation phase
00:03
of the investigation,
00:03
how to identify essentially destructive activity,
00:03
how to stop disrupting activity.
00:03
Then from there, we talked about
00:03
>> essentially starting to
00:03
>> collect some data going through
00:03
>> and identifying on-screen data.
00:03
>> Finding, collecting that [inaudible] information,
00:03
gathering the BitLocker encryption keys,
00:03
and then gathering forensically
00:03
imaging some of the devices that we found,
00:03
thumb drives, taking an image of the hard drive system.
00:03
Then we talked about some of the analyses and
00:03
the ways and programs that we can
00:03
use to do our forensic analysis.
00:03
Then lastly, we talked about reporting.
00:03
Know that's a lot of information,
00:03
especially some of this is very technical
00:03
>> and you're going to want to see this hands-on.
00:03
>> As we discuss,
00:03
look at the next video and we'll go into some of
00:03
these forensic techniques and
00:03
show you how some of these are done.
00:03
Again, it'll be a very cursory, very short video,
00:03
>> it won't be completely in-depth of how to
00:03
>> do 100 percent forensic investigation,
00:03
but it will help explain some of
00:03
the topics that we discussed in today's lecture.
00:03
Thank you. I hope you enjoyed the video.
00:03
Come back to Cybrary again for more exciting classes.
Up Next