MEMORY FORENSIC ACQUISITION AND ANALYSISOF MEMORY AND ITS TOOLS COMPARISON
A Review Paper
Department of Information Technology
Patkar-Varde College
Abstarct: Improvements in technology have led to a significant increase in the number of cyber-crime cases and created a huge challenge to deal with it effectively. There are various cyber forensics techniques and tools that are used to recover data from a device to solve cyber-crime. The current research paper focuses on performing memory forensics and analyzes memory that contains a lot of information relevant to forensics, such as username, password, cryptographic keys, deleted files, deleted logs, running processes; which can be useful in the investigation of cybercrime which prosecutes the accused. The three main steps that govern memory forensics are retrieval, analysis, and recovery. Recovering crime evidence from volatile memory can be possible with knowledge of the various tools and techniques used in memory forensics..
Keywords: Memory Forensic, Digital Forensic, Volatile Memory, Memory Forensic Tools.
INTRODUCTION
Forensic memory is a successful field that uses various tools to recover and analyze evidence in the memory of digital devices. Advances in technology have increased the number of cases related to cybercrime and in order to curtail such cases, memory forensics has emerged as a potential tool in recent years. Memory forensics is useful in analyzing physical memory, RAM, to gather evidence by recovering data. from the secured device that was used in the crime. Memory forensics is also useful to provide visibility into the running state of the system and memory (RAM) must be analyzed for forensic information. Every function performed by an application or operating system results in a special kind of random access memory change. The research paper focuses on the use of memory forensics to recover data from devices. As mentioned above, different tools are used in memory forensics and the article discusses the use of different tools and their suitability for a particular purpose. A comparison of various different tools and their uses was also presented. The tools studied in this research paper for memory forensics are RAM Dump, Registry Dump and Autopsy tool.
BACKGROUND
Depending on the situation, the investigator has two options upon arriving at the crime scene: either interact with the system or pull the plug. On the one hand, it has been known for some time that normal user interaction is undesirable, even performing a clean shutdown would destroy potential evidence by changing timestamps and potentially overwriting information. In line with this line of thought, it was suggested that unplugging the machine would leave it in a more preserved state than turning it off gracefully. On the other hand, while unplugging will preserve the current contents of the hard disk drive, RAM allows little or no insight into what operations the system was performing at the time the power was removed. In light of this lack of knowledge, they provided other incident response steps to gain insight into the state of the system. Neither option works for RAM contents, as pulling the plug erases RAM contents, while performing many incident response actions overwrites potential evidence in memory similar to creating new files on a suspect hard drive.
LITERATURE REVIEW
Memory forensics involves analyzing data stored in physical memory while the operating system is running. Its primary application is in the investigation of advanced computer attacks that are silent enough not to leave data on the computer's hard drive. As a result, the memory (RAM) must be analyzed for forensic information. Every function performed by an application or operating system results in a special kind of random access memory change. These changes often remain long after the operation is complete and store them significantly, forensic memory provides extraordinary insight into the running state of the system, such as which processes were running, open network connections, and recently executed commands. Individuals can perform extraction of these artifacts that is completely independent of the machine under investigation. Critical data can exist exclusively in memory, such as unencrypted email messages, disk encryption keys, non-cacheable Internet history, off-the-record chat messages, and code fragments embedded in memory. Memory forensics is the forensic analysis of a computer memory dump. Its primary application is the investigation of advanced computer attacks that are subtle enough not to leave data on a computer's hard drive. As a result, the memory (RAM) must be analyzed for forensic information.
MEMORY FORENSIC
Memory forensics is about capturing the contents of memory, which is a great tool for incident response, malware analysis, and digital forensics capabilities. Vital information can be obtained through the evaluation of captured network packets and hard drive, but it is a matter of computer memory that allows an investigative agency to reconstruct the entire event of past, present and future events after a malware or premature risk intrusion factors. Even a small amount of information stored in RAM can help assign a typical forensic artifact that may appear different and enable integration that might otherwise go unnoticed. There are three reasons for collecting and analyzing data contained in physical memory. Physical memory contains real-time data related to the operating system environment, such as the currently mounted file system and the list of running processes. Even encrypted data is generally decrypted when stored in physical memory. Therefore, significant information can be obtained if the analysis is performed efficiently on physical memory. The different types of information that can be extracted from memory include processes, dynamic link libraries (dll), process memory, image identification, kernel memory and objects, networks, registry, malware.
ACQUISITION AND ANALYSIS OF MEMORY
Volatile and non-volatile memory are two types of memory available in the system. Volatile memory stores data temporarily and non-volatile data is stored permanently in the system. The memory stores the current work of processes, registries, process stack, deleted files and encrypted data. Volatile memory or RAM (Random Access Memory) retains its data only when the computer or device is turned on. Non-volatile memory, or NVRAM, is intended for long-term storage. When the computer is turned off, evidence in RAM is lost and normally cannot be recovered, but data in NVRAM often remains after the system is turned off and can only be analyzed afterwards.The acquisition is done by two different approaches. 1) Living system/equipment 2) Dead system/equipment. When a system is alive, it uses a different technique to retrieve data from the system than a dead system. A Farada bag is used to collect the device and then proceeds to forensics.
Acquisition is a technique in which evidence is collected from a secured device through which a crime is committed. A write blocker is attached to the seized device to gather data, so there is no change in the evidence and a hash value can be calculated, after which the RAM and registry are emptied using a RAM Dump forensic tool that collects all the data. from RAM and generate a reg.mem file which collects all data from RAM and then this file is analyzed in Encase tools and a report is generated. If the obtained data matches the original data, the accused may be convicted on this basis.
TOOLS AND TECHNIQUES
The study focuses on two phases of memory analysis: data acquisition and analysis of the collected data. Evidence collection focuses on obtaining digital evidence in an acceptable form. There are primarily two approaches to obtaining physical memory images: hardware tools and software tools. In this article, we focus on software tools.
Volatility is an open source memory forensics framework for incident response and malware analysis. It is written in Python and supports Microsoft Windows, Mac OS X and Linux.
Volatility is one of the best open source RAM analysis software programs in 32-bit/64-bit systems. It can analyze raw dumps, crash dumps, VMware(.vmem)dumps, virtual mailbox dumps and many more. The Volatility tool is used to analyze RAM from which data can be recovered. The volatility tool is used to analyze RAM from which data can be recovered. The hash value of collected evidence from saved files, deleted files, encrypted emails, password protected files can be calculated with HashCalc and compared with the recovered files.
Autopsy is an open source digital forensics program based on a graphical user interface for efficient analysis of hard drives and smartphones. Autopsy is used by thousands of users around the world to find out what actually happened on the computer. It is widely used by corporate examiners, the military for investigations, and some features such as File type detection, Media playback, Registry analysis etc.
MANDIANT Memoryze, formerly known as MANDIANT Free Agent, is a memory analysis tool. Memoryze can not only retrieve physical memory from Windows, but it can also perform advanced analysis of live memory while the computer is running. All analysis can be performed against either an acquired image or a live system.
Belkasoft Evidence Center makes it easy for investigators to retrieve, search, analyze, store and share digital evidence found on computers and mobile devices. The toolkit quickly retrieves digital evidence from a variety of sources by analyzing hard drives, disk images, memory dumps, iOS, Blackberry and Android backups and chip dumps. The Evidence Center automatically analyzes the data source and breaks down the most forensically relevant artifacts for the investigator to review, further examine, or add to the report.
WxHexEditor is an open source cross-platform hex editor written in C++ and wxWidgets. Uses 64-bit file descriptors (supports files or devices up to 264 bytes). It does not copy the entire file to RAM. This makes it faster and allows you to open very large files. Some of the features are; you can copy/edit your disks, HDD sectors with it. (Useful for manually rescuing files/partitions.)
This tool can collect data from physical memory, network connections, user accounts, running processes and services, scheduled tasks, Windows registry, chat logs, screenshots, applications, drivers, environment variables and internet history. And based on this report, the data is subsequently analyzed
CONCLUSION
Memory Forensic is widely used to analyze, acquire, report generation of memory. Memory Forensic tools are useful to fetch memory from RAM, Physical Memory of seized device; when device is seized and it will connect with block writer so that there is no any change in evidence. We have used RAM Dump and Autopsy to collect data. It will recover all the data which may be deleted files, deleted logs, and running processes from Physical memory, RAM, Registry with the use of RAM Dump, Registry Dump, Autopsy, Volatility tools which are used to backup files, and help to generate the forensic report. Although there are so many different tools are used for memory forensic each and every tools have different purposes and different types of data collection methods. Six tools are investigated depending on their features two tools Autopsy and Belkasoft Evidence Center fulfill most of the requirement.
ACKNOWLEDGEMENT
I would like to express my sincere gratitude towards the Information Technology Department of Patkar- Varde College.I give my special thanks and sincere gratitude towards the In-Charge Principal Dr. Trisha Joseph, Chief Co-ordinator Ms. Ruchita Rane and Co-ordinator of IT Department Ms. Namarata Kawale Shinde.I owe my sincere thanks to Mr. Sohrab Vakharia Sir for constant support encouragement and for guiding me.
REFERENCES
