Introduction
Research Motivation and Objectives
Project Contributions
Use forensically sound methods for capturing main/primary memory without altering key artifacts of the suspected/compromised computer or device, using various types of free or open-source software/tools, efficiently and in a timely manner. Maintain the evidentiary integrity of the captured data by comparing the hash value of the primary and captured memory to demonstrate that no artifacts were modified or modified during the memory dump creation process and retain the hash value as proof or evidence of the work.
Organization of the Report
In this section, we will discuss memory mapping to machine memory dump. We can also extract shipping information from a memory dump of the suspected computer or device.
Background
Memory
- Cache Memory
- Primary Memory (Main Memory)
- Secondary Memory
This cache memory is used as a buffer between the CPU and the main memory (called RAM). The capacity of the primary memory is limited, and when we restart or shut down the computer system, all the data held by the primary memory will be lost.
Memory dump
Memory forensics
Malware
Importance of memory in digital forensic
Challenges
With Autopsy software, we can extract the browsing data of the suspected computer or devices from the memory dump we created. So we need to know the name of the system profile from which we created the memory dump. This process diagram is designed to detect malicious activity in a memory dump captured from a suspected device.
We will click the "Browse" button and select the path to the location of the memory dump file. Here we can see some pictures of Lalbagh Fort present in the memory dump of the alleged computer or device.
Related works
File system mapping in the memory dump and Problem Statement
In the paper [4], the authors discussed a different mapping of the file system from the assumed memory. File types can be identified from DLL (Windows Shared Library) files because a DLL contains code that is used by multiple programs. But using DLL files, searching for a currently running program or any other extension can be very difficult because it doesn't display the programs in a structured way.
Extra information such as start time and date cannot be easily found either. The authors [5]. If we use a memory dump analysis software like we used, all the data will show in a structured way.
Memory forensic Tools and Problem statements
We can see the index search of the computer used in the crime and from which we created the memory dump. In this step, we will identify the profile name of the collected memory dump we are examining. So we have to be careful while creating the memory dump from the suspect computer or device.
After selecting the source path location of the memory dump file, we will click on the "Next" button to proceed further. This is how we examine the memory dump captured from the suspected machine's secondary memory.
Tools for Analysis and capturing the memory
Software and frameworks
Using FTK imager software, we can create memory dump and paging files for 32-bit and 64-bit Windows systems [9]. There are some selected options that are autopsied so we can examine the memory dump. We can also examine the deleted file on the suspected computer which can be found using the software.
But for the convenience of other artifacts, we use the volatility framework to explore from the main memory dump. Using volatility, we can extract command line write information and clipboard information from a memory dump generated by a putative computer or device [12].
Hardware Requirements of the software
- AccessData FTK Imager Software Requirements
- Autopsy Software requirements
- Volatility framework requirements
We use the volatility framework to examine the captured memory dump of the Random Access Memory (RAM) of the suspected computer or device. We can download this software for free and create a memory dump of the suspected device. This process diagram detects the malicious execution or running process in the memory dump captured from the suspected machine.
Once we have downloaded the desired version of the Volatility tool from the Volatility Foundation websites, we are ready to perform the memory dump analysis process using the Volatility. Suppose we create a memory dump and the format of the memory dump is not supported by the volatility tool.
Memory Dump creation using different tools
Dumpit
MoonSol's Dumpit is a memory capturing tool that can be executed in Windows 32-bit and 64-bit. This Dumpit is a very compact tool that can capture the contents of the target device's system RAM. The copy of the RAM contents, which we call memory dump, is saved in the current folder on the device.
The software will start the work, and after it is finished, the memory dump will be visible in the current directory in a file with .dmp extensions. The memory dump, also known as a memory image, is successfully created using those simple steps.
Magnet Forensics
If the memory is small, it will take less time to finish creating the memory dump, but if the memory size is large, it will take more time to create the suspected computer or device. When the process of creating the memory image is complete, there will be a message saying that the RAM has been saved successfully in the selected path.
AccessData FTK imager
To start the process, we need to click on the file option on the left side of the UI. After providing all the information, we need to click on the "capture memory" button to start the memory mapping process. When the memory dump process is complete, a message will be shown on the screen saying "Memory recording completed successfully." The path to the memory image will also appear on the screen.
Using these simple steps we can create a memory dump of the targeted device using this AccessData FTK imager software.
Belkasoft Live RAM Capturer
So there is a safer way to collect the memory dump already contained in the malicious process. After finding the profile information in the previous steps, we can perform the ghost process identification step to identify the malicious activities from the collected memory dump. To identify malicious activities, we require a memory dump that records all the malicious activities running on the system prior to the generation of the memory dump.
All the options offered by the Autopsy digital forensics tool are shown in the table of usage instructions for detecting malicious activities from memory. After clicking the "Next" button, the next step will appear on the screen, where we must select the modules for which we will search the machine in which we created the memory dump.
Malicious Process Identification from the primary memory dump
Accumulation of Materials
We need a memory dump containing the malicious process running or running during the memory dump creation event to identify the malicious process. Then the investigator will go through the memory dump and run the Volatility plugins to identify the malicious process. We can run some malicious processes on a device and then create the memory dump using imaging tools discussed earlier in this article.
But if we run the malicious process directly on our machine, it will be very harmful to our device and there is a very high possibility of losing sensitive data on the device. Windows firewall will detect and delete the file if the process is already in the registry.
Proposed Method
- Find Volatility
- Profile Name Identification
- Ghost process identification
- Parent process identification
- Process camouflage activity identification
- Execution method identification
- Backtrack the remote connection
- Malicious activity identification
Whenever we write a command using volatility, we need a specific cache profile name. To do this, we need to write the volatility executable, the name of the memory dump file and the imageinfo. In this step, we will try to see which command was executed in the command line until the memory of the suspected device is captured.
To do this, we need to go to the directory where the process dump file with ID 1640 is located. When we go to the directory, we need to right-click on the process memory dump file 1640 and click the "Open with" option.
Malicious activity identification from secondary memory dump
Accumulation of Materials
After that, the investigator will examine the memory dump and use Autopsy plugins to determine what malicious actions were taken with the device. We can perform malicious activities on a device and then generate the memory dump using the image generating tools discussed earlier in this work. In the current situation, there is no pre-created memory dump that has all the possible malicious activities inside.
So we have to resort to generating a memory dump that contains almost all the malicious activity that could occur. For memory capture, we used Windows-based free software (discussed in the early chapters of the article).
Proposed Method
- Case creation
- Web and E-mail History investigation
- Storage investigation
- File type investigation
- Installed Program investigation
- Reverse engineering
After clicking on the "Execute" button, the next step will appear on the screen where we have to select the option from which types of data source we want to add to the autopsy for examination. Since we want to examine the secondary memory dump to find the malicious activities using this autopsy software, we will select “Disk Image or VM Files” from the options and click the “Next” button to go to the next steps. All modules will be pre-selected, so we click the "Next" button.
If we expand it, we will see the partition of the supposed machine disk, the same one that the Windows system shows. Now we will try to find the hidden messages that were hidden in the carrier files using Steganography. We click on the "Open image" button to open the selected images and go to the same folder where we saved the images.
So in the future we will try to collect more memory dumps and investigate to discover some unexplored malicious activities.
Future works
Conclusion
