Using FTK for Memory Analysis

00:00

Hello. My name's David. Welcome to analyzing attacks

00:05

we're talking about analyzing, dear

00:08

and one off the ways that you can analyze

00:14

Anyone.

00:15

Come on. Is our third upsetting? Yes, I know. You know, I know, memory announces, and that's what we've been talking about in our last medicine. Uh, let me do a quick review here at the beginning of this episode before we drop right into you came in.

00:33

Memory analysis is part of your forensic process,

00:36

right?

00:38

Is part of

00:40

gathering bullet. How data?

00:43

It's extremely important. But

00:48

that's that pause was for you to fill in the blank.

00:51

Extremely important, but often or gotten. Yes. Now, uh, for you, as an incident handler, you need to be very much aware of memory announced. Uh, hopefully after going through,

01:08

of course you are aware of it. And you do have a handle somewhat on the tools that you need one of riches of a majority,

01:17

more in depth. Look at as we get through this this together, there are other tools. Veil

01:25

due to time constraints. Um, we are going to be able to hit a lot of those other tools. However, you do need to be aware that that's part of the learning process. Side very has a number, of course, is available to you on visual forensics.

01:42

And now our analysis that you could actually go out and Maur about this topic on, please.

01:48

These do so, um I am a big advocate of kitchen. You will learn. I myself am continually learned. Just today I learned something new and I put my hands up in the air and I rejoice because I have learned something new today. How many of you?

02:06

How many of you have when you learned something? D'oh! Yes, yes, New information.

02:14

Okay, that's a little over the top. But I am a firm believer in trying to learn something new every day. So I hope you are too. Because that's how you grow. You advance

02:25

in the world.

02:28

Now, Frankie can amateur go and visit accessed Data's website now product download site, which is there on the screen or you. And it's also in course materials that you go out and download at K Image

02:40

access data makes you now register for a UK imager is still free. But you do have to register. So

02:49

I didn't do that on download it now. Imager is a robust. It's used for a multitude of different things. At least I use it for a multitude of different things.

03:01

It's the same with anything in life of what you originally learning used kind of sticks with you until you're forced to change.

03:13

Um, so I started way over 15 years ago, working in digital forensics and UK image was big back then.

03:22

Eso it's continued to grow over time. It's not a static tool. Thankfully, they continue to update it, but it's still one of my favorite tools.

03:32

Just yesterday I was imaging on SST are driving a laptop, was talking about the process with one of your teammates, and they said what used and is that not so left a image and kind of went a manager was like, Whoa, yeah, why? I would not

03:53

anxious That's old school.

03:55

And he sort of is, um,

03:59

but I like it because I learned it way back in the day, so I carried on now. Imager didn't not only captured memory, but it's also used for making disc images on also of something not so much me. Some people actually use it. The triage Ah, hard drive image.

04:17

Hopefully not the original One of the principles of digital forensics is that you don't want on

04:24

the original disk. Were our economy of this or legal purposes,

04:30

You know, what a mess with the original week Did you change it and thus allow the defense to get that

04:41

piece of evidence excluded in trial? So use a condom.

04:45

Remember the locker principle? Every touch leaves a trace.

04:49

So if you're gonna use FBK image or on a live system, keep in mind that you're gonna cost changes to the memory because that's the nature of memory. Insert a USB drive into a system. It's gonna cause changes. But the hard driving also remember, be able to document there's changes

05:09

able to explain them.

05:11

Um, if you ever have to go to court to testify, it's important to be able to acknowledge changes and describe what changes a herd s O that

05:21

you can't be accused of tampering with evidence or planning at a couple little warning kibitz and therefore you just make your way. Now this is a screen capture from access data is at the K imager.

05:35

This is ah, slightly outdated version. So one that I had on my laptop.

05:42

So when you downloaded and they have some changes to it, but it'll still be relatively the same. Um, as you can see, I selected memory capture, which will get through live here in a few minutes just so you can see it in actual action.

05:59

Uh, you have to choose the location and would your store

06:02

s so that you can actually extract the memory from system to a system that you can remove it and examine off line.

06:14

And then once you begin, of course, it's good that at Ikea will actually bring up a progress more so that when you're sitting there in front of the system, you can actually reward or how long it's gonna take

06:25

or to create his memory image. And you will also be able to clearly identify stunt that could be good and bad.

06:32

We were doing a live triage system not too long ago. Um,

06:39

the process progress bar came up and it ran for three days. Now was more than a memory doubt that was actually pulling a lot of other information as well on then, sending it to a network location off the main network. So

06:56

rain for three days. Um, it didn't move.

07:00

So we have happened to restart. Process on. That could be handy for you to know, Uh, so that you'll be caught short. Uh, if something goes world And

07:12

hey, we work in I t write technical difficulties. Come with the job. Remember, Just because you're the expert just because you're a subject matter expert, does that mean that you're not gonna run in different homes?

07:26

So even experts have problems Now I drop in on a little warning. Will Roberts here Horning Aziz remind warning. Will Robinson Danger, Danger. Danger

07:39

that depending on the size of the memory in the system, you're imaging the carded media has toe have sufficient storage space to hold the image.

07:54

You want me to say that again?

07:56

Because I will.

07:57

We happy

07:58

The target media has toe have enough storage space

08:03

for the edge.

08:05

Now, why do I say well because memory changes from system to system,

08:11

the memory that we're capturing this picture is of seven gigabytes.

08:18

That's a fair amount. Remember,

08:22

Some systems come with eight gigs. Some systems come with 16. It can go up into the hundreds of gigs depending on the system that you're getting the memory off,

08:35

take that into account.

08:39

Because if your thumb drive or your external USB device doesn't have an absorbs face, you're not going to be able to extract the memory off Thio Strong drive. That would be an example of that difficulty, but one that you could easily

08:58

now is we close in here near the end. Now what? You open up my FBK imager to kind of give you a quick review of it.

09:07

This is imager. Um,

09:11

for any other kind of analysis, you would actually click here and select the source evidence type and blowed it. But for memory, you wanna choose your old and, um, access memory right here, sobering up you remember, Catch,

09:26

click, Browse to choose where you want to store it.

09:30

Um, before you have the proper external drive, you can change your destination finally going to make it whatever you want. You can include the page file system and you can create an 81 block, which is a forensic capture that can be loaded up his forensic tools better than a

09:48

Don't them pile.

09:50

You can't get there either by clicking on your ram, or you can click on file

09:58

here

09:58

and come down to capture memory as well in order to do the same kind off function.

10:05

That is how reek. Look at Ikea imager Now, things to remember from this episode again, Walker's principle. You're doing a live capture. You're gonna cause changes to your system. Second target drive has to be large enough change for old revile

10:24

and after *** amateur can be run from a bunker,

10:26

making a very good practical portable tool to do memory. Capture

10:31

Gary questions