Live Memory Forensics to Detect Malicious Activities

MailXaminer | May 26th, 2020 | Forensics

Memory forensics is the process of analyzing the volatile data from the computer memory dump. It is mainly conducted to identify the unauthorized or malicious activities that took place on the computer. Generally, the attacks don’t leave any identifiable traces on the hard drive. In this blog, we will shed light on the importance of memory forensics along with the best approach to examine volatile data.

Live Memory Forensics

Live memory forensics process is done through capturing the current state of the system’s memory. Through the forensic analysis of volatile memory, the investigating officers can gather various information related to the data and the activities that have taken place in it. This includes the process which is currently running on the system, running executable files, IP address and other network information.

A memory dump is the snapshot of the system’s volatile memory in a specific instance of time. Memory dump forensic analysis provides valuable information about the state of the computer system before any malicious activity or crash occurs. The RAM data stored in the dump can help to identify the reason for the incident and other related information. Through the volatile memory forensics, the investigators collect the systems volatile information and create the permanent record of the systems state. Moreover, it helps to track different suspicious activities such as viruses and other malware attacks.

Importance of Computer Memory Forensics

With every passing year, the attacking methods are getting more sophisticated. As a result, the importance of live memory forensics and computer forensics tools also increases.

Different network-based security solutions such as antivirus software, firewalls, etc. fail to identify the malware activities that have taken place in the computer’s physical memory. The forensic analysis of computer memory provides a unique insight into the current activities and network connections. In many situations, the important data that leads to unauthorized activity or attack will merely exist in the computer’s volatile memory. The information such as credentials, chat messages, running processes, internet history which cannot be cached, etc. will be loaded in the physical memory. These make the memory forensics more complicated during the evidence collection.

Now you might be thinking why forensic analysis of volatile memory or RAM is not a part of every computer forensic investigation.

Here are the main reasons listed below:

For accumulating the digital data from the volatile memory, the targeted system must be in running state. Furthermore, the collection program needs to be introduced into the system for execution which will leave an acquisition footprint.

The RAM (Read Access Memory) only provides evidence of committed crime due to the advancement of the malware technology. During the memory dump forensic analysis, there exists a major challenge which is faced by the forensic experts. This is nothing but, the computer shut down will flush out all the information stored in the volatile memory.

Generally, during the examination process, the investigating officers mainly focus on the user’s activities on the system and the traces of malware activities. Sometimes it is necessary to uncover the encryption keys and password if they are considered as the evidence. However, before starting the investigation, the investigator should have a clear idea about what they need to establish on the target system. While undergoing the acquisition process, the investigator extracts the evidence in various formats. Here are some most commonly used acquisition formats during the live memory forensics.

  • Raw Formatted: It is the format used when the evidential data is being extracted from the live environment.
  • Crash Dump: Before the system crash or occurrence of any error, the system automatically creates a memory dump file. It consists of a copy of computer memory, which helps the investigating officers to easily identify the problem that has led to a system crash.
  • VMWare Snapshot: It contains the snapshot of the virtual machine. Moreover, it provides the exact state of the machine at the time the snapshot was generated.
  • Hibernation File: This file consists of the system’s snapshot that the operating system can return to after hibernation.
  • Page File: This file will contain the information, which is similar to the data stored in the RAM.

What are the Different Types of Artefacts Obtained?

While performing the forensic analysis of computer memory, all possible artefacts are gathered from the running system which may be larger in size. In the upcoming section, we will discuss the various types of evidence that can be acquired from the running system while conducting volatile memory forensics.

  • Network Connections: It contains network information such as IP address and port number used in the past and current network connection. This will help to identify the remote destination of malware communication, computer intrusion, etc. During the memory dump forensic analysis, the investigation officer can identify the type of traffic that was used in the communication vector like HTTP, FTP, SMTP, etc.
  • List of the Running Process: It contains the list of complete process that is currently running on the system. Through the visual inspection of the desktop or through task manager. It is easy to obtain the different processes, which are currently running on the system.
  • User Credentials: This information contains the user credential such as Username and Password. It comprises of credential details provided by the user for both local and remote systems. The entered credentials by the user might be stored in the physical memory of the computer system.
  • Content of Open Window: During the live memory forensics, this will provide the information about the currently opened windows such as instant messengers, emails, clipboards, etc.
  • Decrypted Version of Programs: If the malicious file is found to be encrypted on the hard drive, then it needs to be decrypted for evidence extraction. Thus, collecting the information in the running state will help the investigator to extract the decrypted evidence.
  • Malware Reside in the Memory: The malware, which resides in the system memory will not leave any footprint in the hard drive. Therefore, any data collected by the malware is also stored in the system’s memory before it is transferred to a remote system.

Closing Remarks

Memory forensics is the process of acquiring evidence from computer memory. It helps the investigating officers to identify the crucial data and malware activities. This blog has clearly stated the forensic analysis of volatile memory, which provides detailed information about the running system and its process.