Digital Forensics

6. Forensic Techniques for Gathering Data

More Techniques


Previous exercises have examined looked at

  1. Acquiring evidence through the use of a number of imaging techniques.
  2. Carving out files from image data, again using a variety of techniques. These techniques van be used for recovering existing and deleted files.
  3. Finding hidden data through searches of file-names and string text.
  4. Time-line activity through the use of Autopsy

All the tools and techniques have been focussed on non-volatile data or data saved on various types of storage media (hard disk, USB pen drives etc).

However there other techniques that can be used to capture volatile data. This is data that exists in the memory of the device.

Memories are made of this?

Looking at computing devices there are essentially two principal sources of where data can be acquired. The first are the storage devices where evidence can be gathered. The evidence can be saved in plain site, hidden or deleted form.

The second source is the RAM memory of the computer. Memory is classed as volatile, because when the computer is switched off, any record of what the computer has been doing when its been switched off is lost. And this can can include lots and lots of valuable information, such as:-

  • List of all processes that happened to have been loaded into RAM at the time. For example
    • Malware inadvertently or deliberately loaded by the user e.g. viruses
    • Hacking deliberately loaded by the user, for example sniffing programmes, or key-loggers.
  • Hashed passwords: Which may be necessary to crack if a user has tried to block access to investigators.
  • Connections to the outside world which may provide the source of an attack, malware or places where data might be hidden.
RAM Memory

The first step in any investigation if a forensic investigator encounters a device switched on or sleeping is to get a memory dump before its switched off.

A memory dump is the creation of a memory file, similar to an image file that contains everything that was in the memory. This file can then be used as a source file for further investigation

Memory Acquisition

  1. Watch and work along with the movie. The first part of the movie goes through the steps of downloading and installing LiME (Linux Memory Extractor). Follow these steps at home. The later part, shows how to LiME on a machine.
  2. Use the tool to capture the contents of the RAM memory of your computer. This will be used in the next exercise for an introduction into the use of Volatility program.
  3. Create a new page title Memory Acquisition and answer the following questions.
    1. What are the issues surrounding capturing a memory image? Explain why making a memory image is different from making an image of USB pen drive or hard-disk.
    2. Why is it important to know the 'architecture' of the target machine.
    3. What is the first thing to do after successfully acquiring a memory image?
    4. Then what is the next step taken before any analysis of the image is started.

Analysing Memory Images

While we could analyse the memory image you made in the previous exercise, it's much more instructive to follow through an analysis, that reveals a virus at work, lodged in the RAM memory space.

The process also the creative side of the forensic process, how one clue and lead to others and how it can be combined with other activities to give the answers required.

  1. Download a prepared memory image containing a virus at work.
  2. Watch the movie to see how the Volatility tool is started.
  3. Using the steps in the video load the memory image into Volatility.
  4. Work along with the video to practice using some of the commands.
  5. Visit Article title and work through the same steps to discover the virus.

When you log into a computer, passwords are stored in RAM memory. Capturing memory can be a first step in getting hash values of the account credentials. The hash values can be reversed engineered using rainbow tables to reveal the plain text equivalent or the passwords in plain text of the hash values.

So lets try this at home.

  1. Download Dumpit and use it to capture a memory image as shown in the video below.
  2. You can either download Volatility for Windows or pass it into Kali Linux box and use volatility from there to recover the passwords as shown in the video opposite.

Can you now do?

  • Explain some of the issues surrounding the imaging of RAM memory.
  • Can use tools both Windows and Linux based to make memory images.
  • Can use tools to analyse the contents of RAM memory.
  • Follow a forensic process in analysing RAM memory
  • Describe how forensic tools can be used to reveal account passwords stored as hash values in RAM memory.

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee