Part 8 - Volatile Memory Capture: Incident Response and Advanced Forensics Course | Cybrary

Video Activity

Create Free Account

This lesson covers volatile memory capture. There are numerous programs to accomplish this; some of the well-known ones are: · FTK Imager · DumpIT · Mandiant Redline The best practice is to use removable media with installed software, which captures virtual memory while not adding files which causes valuable data to be overwritten. After the data i...

Sign up with

Or

Already have an account? Sign In »

Time

8 hours 6 minutes

Difficulty

Intermediate

CEU/CPE

4

Create Free Account

This lesson covers volatile memory capture. There are numerous programs to accomplish this; some of the well-known ones are: · FTK Imager · DumpIT · Mandiant Redline The best practice is to use removable media with installed software, which captures virtual memory while not adding files which causes valuable data to be overwritten. After the data is collected; the following takes place: · Disk encryption · Forensic imagining · Volatile memory analysis · Analysis of data Reporting

00:03

so moving on from our trusted tools after we have our tool kit gathered up,

00:09

um, we can use other programs essentially to capture volatile on them.

00:16

Eso trusted tool kit will help us gather information about that system that command prompt level. But if we wanna ought to make this process of capture the entire volatile memory, we can use empty K imager

00:34

within you to dump it. Or we can use Mandiant rabble.

00:38

So with any of those programs,

00:42

essentially grab all of that volatile memory, all of that ramp, and then put that out to a file system where you can analyze that will go over that in depth in the hands of fortune. Well,

00:54

remember that the best practice on capturing this volatile memory is to use removable media with installed software to avoid adding files to the system that can overwrite data

01:08

and then the disc encryption process. After you've collected the volatile data. If you believe that the system may have been a locker on it, which if your system is running Microsoft Windows, Mr this tow or later additions,

01:27

then it is highly likely that at least has the ability to have

01:34

bit locker on it.

01:34

So if you're not familiar with

01:38

what type of operating system that you've discovered,

01:42

you can open up a command prompt from your trusted tool kit

01:48

and type in wind vert, and that will give you the operating system.

01:53

If you believe that system does happen, that locker you can type in the file in command of the manage Dasha bt dot in the XY

02:04

space dash status on that will show you a bit. LOCKER isn't able on the system.

02:12

If bit locker isn't able, you can type in the proceeding command of the managed Ashmead E X e

02:20

dash protectors dash get, and that will provide you the recovery password. And then once you get that recovery pass work, they're going to want to save that to some type of note. Pat documents

02:34

onto your

02:37

forensically wiped thumb drive hard drive on. That way you will have those encryption keys so you can go ahead and get that

02:49

physical image of the device and that you'll be able to get into it and it will be useful.

02:55

The next step is going to be creating the physical image of your systems hard drive,

03:05

and there are both software and hardware in the gym, too,

03:07

and imaging allows investigator again toe work with that exact copy of the evidence without altering the original.

03:15

So any type of media that you find seeing via some Dr

03:21

or a computer system you can and should get a forensic image of those.

03:29

And then in our hands on portion, we will demonstrate how to collect a physical image of the USB thumb drive.

03:38

And then guided software produces some very high quality, hard work imaging devices where you do not need an operating system. Our computer to collected images simply attach whatever device you have on hit a button, and it will

03:54

send a bit for bit copy of the data on that system to you forensically white storage medium

04:02

F T K imager is also a great software imager, and it could be downloaded free,

04:08

uh, from the Access Data website, and we're gonna cover both E. F T K imager and the INCASE Forensic imager in the end zone portion.

04:21

So moving on from the imaging, we can then go to look at some of the analysis of the data.

04:28

So there several programs that can assist you and the investigator on analyzing volatile memory. Some of most popular programs for analyzing that data include the program of Volatility and then the Mandy. It's Red Line.

04:46

The cool thing about Red Line is that it is actually

04:50

on acquisition program and analysis program in one

04:56

So and we'll cover the Rat Line

04:59

program a little bit in our hands on portion and explore some of the functionality of red.

05:09

However, after we captured our data and we have it on our forensic device, the next thing to do is

05:16

analyzed to death.

05:18

So once you have the data, what do you do it?

05:21

Investigators need to examine the data for evidence or indicators activity that they believe may have happened.

05:30

So depending on your case, you're going to want to start searching through various portions of your data to help determine rule out activity. Hurt.

05:44

However, before beginning to do this search, you're gonna want to have an idea of what you're looking for, where it may be stored within that data

05:51

again. If you're imaging a two terabyte hard dry are you have numerous hard drives. Searching through

06:01

those

06:02

images could be time consuming and cumbersome

06:08

eso having an idea of what to look for and where to look for it is very important.

06:13

Also, there are numerous forensic analysis programs that can help you to examine some of that data. So f k in case OS forensics autopsies. Those are Cem Cem, good programs that you've been used there, others out there You could just google them,

06:32

uh, again,

06:33

Don't get married to just using one type of analysis program. It's good to know several of these just because the user interfaces of them are different. Some of them provide different outputs on make the data easier to digest. So

06:54

keep

06:54

at least two of these in your tool kit for use for what we're going to talk about in the end zone portion, we're going to use autopsy. An autopsy is a powerful free tool for forensic investigators. And then we'll go into a little bit of how to use autopsy

07:13

in the hands of fortune.

07:16

And then lastly, after we have conducted wth Ian Alice Portion, we're going to get into the forensics portion.

07:27

So are the recording portion. I'm sorry.

07:30

So

07:32

the reporting portion there is essentially going to be two types Of course, I want to be your technical report, which details every flying that you have in a very high level text speak

07:46

that other forensic investigators and technically savvy people are going to be able to understand

07:54

the other type of report that you're going to have this room to be Your investigative report on. That's going to be something that a non technical person can understand. A very cursory, uh, repetition of the who what, When, Where, Why and how.

08:09

With each of those reports that you should begin with a brief executive summary Bottom line up front, this is what happened. This is what I found.

08:22

Everything in your report should be listed in a Siri's and our timeline in some type of logical work. So if you're investigating, for instance, malicious insider threat,

08:37

uh, you know Mr Smith badge in it. The building at 705 I was able to determine Mr Smith logged into his system at this time. Mr. Smith conducted this activity at this time. He then did this at this time. He badged out of the building at this time.

08:56

And all of that timeline

08:58

helps to one make it easy. for the reader to understand that it also

09:05

helps to tie your suspect. Are your event to that particular computer

09:13

that you have been investigating? So that timeline again, it's very important.

09:18

And then your technical reports should include all software and the versions found on the victim machine. It should also include all the software and systems that were used by the investigator during your investigation. So you use Microsoft Word taking that

09:37

you used

09:37

in cakes to do your investigation. Used FBK imager to take an image of something. All of those things should be listed in that technical.

09:52

And then lastly,

09:54

in that report, you want to stick with fax kind of a repetition of Joe Friday. Just the facts, ma'am. No conjectures in your investigative report. Your job is a forensic investigator is to essentially

10:09

stick with those fax and just the fax. And then the lawyers, the attorneys, the administrators, they can come up with whatever conjecture that they want.

10:22

So this will conclude the more or less lecture portion of forensics and support of incident response. We covered a lot of material in this this lecture. We covered the preparation phase of how to get ready

10:41

to respond to that incident.

10:45

We talked about how to

10:46

sanitize and wipe our media when they talked about what items should be delisted included in our tool kit. We talked about note taking.

10:58

Then we talked about the preservation bays of of the investigation have to identify. Essentially destructive activity had stopped destructive activity.

11:09

Then, from there we talked about essentially starting to collect some of that data going through and identifying on spring death finding, collecting that volatile information, gathering wth e bit locker encryption keys and then gathering

11:30

forensically imaging

11:31

some of the devices that we found a thumb drive

11:35

taking an image of the hard drive system. Then we talked about some of the analysis on the ways of programs that we could use to do our forensic analysis. And then lastly, we talked about reporting.

11:48

So no, that's a lot of information, especially some of this is very technical, and you're gonna want to see this hands on. So a CZ we discussed

11:58

Look at the next video and we'll go into some of these forensic techniques and show you have some of these were done again. There will be a very cursory bird short video the completely in depth of how to do 100% forensic investigation That will help explain

12:20

some of the topics that we

12:22

discussed in today's lecture. So thank you. I hope you enjoyed the video. Come back to Cyberia again for more exciting classes.

Part 9 - Forensics in Support of Incident Response

Part 10 - Formatting a disk for Incident Response

Part 11 - Using the FTK Imaging Software

Part 12 - The Forensic Acquisition of Data from a PC

Part 13 - Navigating the H Drive

Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack. Why do I need this certification? As a part of the Incident Response process, ...

VP, Cybersecurity Incident Response Planning at JPMorgan