Category : Digital Forensics
First of all ,let me make you familiar with some of the basic terms which are explained in few lines.
Basically Forensics stand for analyzing, detection ,research or investigating a case ,either it’s a crime case or laboratory research and then presenting in a manner which is legally acceptable.
Note : Computer forensics comes under Digital forensics.
REMEMBER :Before starting with any forensics investigation always go with six A’s of forensics.
1. ASSESSMENT : Looking at the scenario of the case.
2. ACQUISITION : Aquiring knowledge about the case .
3. AUTHENTICATION : Digital prufs like RAM(serial no.),HDD (model no.) etc
4. ANALSIS : Examining the case
5. ARTICULATION : Report Making
6. ARCHIVAL : Representing the case file with all evidence in front of Judge.
Computer Forensics has various sub-parts like :
o REGISTRY FORENSCIS AND MEMORY FORENSICS etc.
In this tutorial we will learn about Memory forensics and following things related to it given below.
· What is Memory forensics ?
· How it works ?
· Why it is needed ?
· How it is used ?
What is Memory Forensics ?
Forensics done by dumping computer’s memory into a format which is further used to extract information ,processes running on that particular computer by the use of specific tools.
Why is there need of Memory forensics ?
Suppose, if some terrorist are planning to explode bombs in a country and are doing everything by just sitting in front of their computers , and suddenly the victim country comes to know about the location of the terrorist and knowing this the terrorist run away leaving the computer by shutting it down.
Now the professional computer forensics investigator will be called to analyze the computer so that as much as possible information can be taken out without losing those credential information used by the terrorists.Now you must have come to know why is their a need of Memory Forensics.
Always remember that, there are two types of Digital Evidence :
1. Persistent Data :-
The data which remains in the computer even when the computer is turned off.
e.g – Data stored in hard disk,pendrives .
2. Volatile Data :-
The data which may be lost when the computer is turned off or restarted.
e.g - Registry forensics,temporary files,web browsing history etc.
Note :- This data is temporary so ,during computer forensics ,one should firstly try to dump the RAM data and analyse it as it is the volatile data and that is what we call Memory Forensics.
We can use various tools to dump the Ram data (volatile data)
1. FTK Imager
2. OS forensic
3. Winpmem & many
We are going to use OS Forensics tool to dump the memory .
Os forensics is used when the system is running,else you may use FTK imager or Helix as it can be used live without running the computer.
Use of Helix and tools like FTK may prevent overwriting of the processes.
Step 1 :- Download OS Forensic from the below link
install it and open it .You will find many forensic tools or options built in OS Forensics.
Now click on Memory Viewer .
Step 2: Now select any process and click on Dump Physical Memory and save the dump file i.e, .bin file to a specific location as further we need to analyse it.
It may take several minutes depending upon the no. of processes running at that particular time.
We are done with dumping the computers memory now we need to analyse the .bin file so as to extract information about the Running Processes.
Step 3 :Open Kali Linux or Backtrack .
In kali or backtrack there is a tool named Volatility.It may be called the most important tool in Memory Forensics .
In BACKTRACK -- go to Application -- Forensics -- Ram Forensics tools --Volatility.
In KALI LINUX --Go to Forensics --Volatility.
Open terminal and type the following commands
cd usr // root@kali:/usr
cd share // root@kali:/usr/share/
cd volatility // root@kali:/usr/share/volatility
ls // you will see a file name vol.py .
Volatility provides following data extraction tools :
Various commands are available in Volatilty to analyse the .bin dump file.
Type Following in the terminal.
Python vol.py --help // it will show all available commands in volatility.
Some important of them are listed below.
1. Pslist // to check the running processes
2. Psscan // To scan hidden or terminated processes
3. Netscan // For different connection available
4. Sockscan // For different connection available
5. Connscan // For different connection available
6. Devicetree // For drivers installed on computer
7. cache dump // For password related information
8. Zuesscan // To detect zues malware
9. Deskscan // For detecting the ransomware malware
10 . modcan //For detecting hidden modules
Step 4: Executing the above commands .
Python vol.py pslist --profile=win8sp1x64 –f /root/Desktop/xyz.bin
Python vol.py psscan --profile=win8sp1x64 –f /root/Desktop/xyz.bin
Python vol.py netscan --profile=win8sp1x64 –f /root/Desktop/xyz.bin
Python vol.py deskscan --profile=win8sp1x64 –f /root/Desktop/xyz.bin
Python = Language used by the volatility tool
Vol.py = Name of the tool
Pslist,psscan,netscan,deskscan = Different commands in volatility.
(--Profile=win8sp1x64) = windows os used by the computer whose memory dump is taken.
-f = file name with location
You may use –l for giving the file location.
/root/Desktop/xyz.bin = location of dump file xyz.bin
Keep sharing if found important
*************************Thanks for Reading**************************
Proudly Operated from India
© 2016 Copyrights. All Rights Reserved