Live Memory Forensics to Detect Malicious Activities

MailXaminer | May 6th, 2019 | Forensics

Memory forensics is the process of analyzing the volatile data from the computer memory dump. It is mainly conducted to identify the unauthorized or malicious activities take place on the computer mainly those attacks which will not leave any easily identifiable tracks on the hard drive. Live memory forensics process is done through capturing the current state of the system’s memory. Through the forensic analysis of volatile memory investigator can accrue many information related to the data and the activities taken place in it such as: Process which are currently running on the system, Running executable files, IP address and other network informations, The active users and their login place, The opened file and accessing user.

A memory dump is the snapshot of the system volatile memory in a specific instance of time. memory dump forensic analysis is an important process because it can give valuable information about the state of the computer system before any malicious activity or crash occur. The RAM data contained in the dump can help to identify the reason for the incident and other related information. Through the volatile memory forensics, the investigators collect the systems volatile information and create the permanent record of the systems state. That the suspicious activities such as virus and other malware can be tracked. It will provide very vital information in the instance where the malware will not leave any trace of there activity on the system’s hard drive.

Importance of Computer Memory Forensics

The attacking methods are more sophisticated day by day that increases the importance of live memory forensics and computer forensics tools. In today’s world, most of the network based security solutions are unable to identify the find the malware activities written/ take place directly into the computer physical memory. The forensic analysis of computer memory provides a unique insight into the current activities and network connections. In many situations, the important data that leads to unauthorized activity or attack will merely exist in the computer volatile memory. The information such as credentials, chat messages, running process, internet history which can’t be cache, etc will be loaded in the physical memory in the order of execution. These make the digital forensics more complicated during the evidence collection.

Now you all are thinking why forensic analysis of volatile memory or RAM is not a part of every computer forensic investigation. The main reasons are:

For accruing the digital data from the volatile memory the targeted system must be in running state and the collection program needs to introduce into the system and execute which will leave an acquisition footprint.
The RAM only provides evidence of committed crime due to the advancement of the malware technology.
The main difficulty faced by the investigator during the memory dump forensic analysis is that the computer shut down will flush out all the information stored in the volatile memory.

Generally, during the investigation process, the investigator mainly focuses on the activities of the user on the system and the evidence of malware activities. Sometimes it is necessary to uncover the encryption keys and password if they are considered as the evidence. But before starting the investigation the investigator should have a clear idea about what they need to establish on the target system. During the acquisition of evidence depend on the situation and process the investigator extract the evidence in various formats. Here are some most commonly used acquisition formats during the live memory forensics.

  • Raw formatted: It is the format used when the evidence data is extracted from the live environment.
  • Crash dump: Before the system crash or any error occur system automatically create a memory dump file which contains a copy of computer memory. That helps investigators during the volatile memory forensics process to identify the problem that leads into system crash.
  • VMWare snapshot: Which contain the snapshot of the virtual machine. That indicates the exact state of the machine at the time the snapshot is generated.
  • Hibernation file: It will contain the systems snapshot that the system can return after the hibernation.
  • Page file: This file will contain the information similar to the information stored in the RAM.

Types of Artifacts obtained

While conduction the forensic analysis of computer memory depending on the case and situation of the investigation maximum possible artifacts will collect from the running system it may be larger in size. Any program travel through the system will stay in the RAM depending on the size of the RAM. In the below section we are going to see a few types of artifacts that can be acquired from the running system while conducting volatile memory forensics.

  • Network connections
    This information contains network information such as IP address and port number used in the past and current network connection. This will help to identify the remote destination of malware communication, computer intrusion, etc. During the memory dump forensic analysis with the help of pot investigator can identify the type of traffic that was used in the communication vector like HTTP, FTP, SMTP, etc.
  • List of the running process
    It will contain the list of complete process that is currently running on the system. Through the visual inspection of desktop or through task manager user can obtain the knowledge about what is the process currently running on the system.
  • User credentials
    This information contains the user credential such as User name and Password. It will comprise the credential details provided by the user for both local and remote systems.
  • Content of open window
    During the live memory forensics, this will provide the information about the currently opened window that will include each key entered by the user.
  • Decrypted version of programs
    If the malicious file is encrypted on the hard drive the decrypt and extract the evidence from it is the most difficult process faced by the investigator. But every file which is executing or reading must be decrypted itself to run. Hence collecting the information in the running state will help the investigator to extract the unpacked evidence.
  • Malware reside in the memory
    The malware resides in the system memory will not leave any footprint in hard drive. So any data collected by it also stored in the system’s memory before it transfers to a remote system

Final Words

Memory forensics is the process of acquiring evidence from computer memory. Which help the investigators to identify the crucial data and malware activities which are not left of there trace in the hard drive of the system. The proper forensic analysis of volatile memory provides detail information about the running system and its process.