For a long time, law enforcement and other organizations performing digital forensic tasks associated with incident investigations often relied on methodologies that focused on evidence contained within the hard drive of a machine. Procedures dictated that the system should be powered down and the hard drive removed for imaging. While this methodology and the associated procedures were effective at ensuring the integrity of the evidence, this overlooked the wealth of information that was contained within the Random Access Memory (RAM), or memory for short, of the targeted system. As a result, incident response analysts began to focus a great deal of attention on ensuring that appropriate methods were employed that maintained the integrity of this evidence, as well as giving them a platform from which to obtain information of evidentiary value.

This chapter...

When discussing analyzing the memory of a system, there are two terms that are used interchangeably. The terms RAM and memory are used to describe the portion of the computer's internal systems where the operating system places data utilized by applications and the system hardware while that application or hardware is in use. What makes RAM or memory different from storage is the volatile nature of the data. Often, if the system is shut down, the data will be lost.

One change in operating systems that has had a direct impact on memory analysis is the advent of the 64-bit OS. The use of a 64-bit register allows the OS to reference a total of 17,179,869,184 GB of memory. When compared to the 32-bit OS, this is several million more times the amount of data previously available. As a result, there is a good deal of data contained within RAM at the time...

When examining system memory, it is advisable for analysts to follow a methodology. This ensures that all potential evidence is uncovered and can be utilized in an incident investigation. There are a variety of methodologies that can be leveraged. Which specific methodology is used can often be dependent on the type of incident. For example, a methodology that is geared towards identifying indicators of compromise around a malware infection may yield a great deal of information but may not be the best approach if the analyst has evidence from other network sources of a suspect IP address.

One of the chief aims of memory analysis is to identify potentially malicious processes or executables that can be extracted and examined. Much of the material that is present in this chapter will carry over into Chapter 12, Malware Analysis for Incident Response,...

One powerful tool that analysts should include in their toolkits is Mandiant Redline. This Microsoft Windows application provides a feature-rich platform for analyzing memory images. These features include the ability to create a memory collector, although the tool will work with memory captures that have been performed via tools previously discussed. There is also the ability to utilize previously discovered Indicators of Compromise (IOCs) to aid in the examination. The tool can be downloaded at https://www.fireeye.com/services/freeware/redline.html. The download package includes a Microsoft self installer.

To demonstrate some of the key features of Redline, the Stuxnet...

Volatility is an advanced open source memory forensics framework. The primary tool within the framework is the Volatility Python script, which utilizes a wide array of plugins to perform the analysis of memory images. As a result, Volatility can be run on any operating system that supports Python. In addition, Volatility can be utilized against memory image files from most of the commonly distributed operating systems, including Windows for Windows XP to Windows Server 2016, macOS, and finally, common Linux distributions.

There is a range of plugins available for Volatility with more being developed. For the purposes of examining system memory, several plugins will be examined to ensure that the responder has sufficient information to conduct a proper analysis. It is recommended though that, prior to using Volatility, the analyst ensures that software...

In the previous sections, the Redline and Volatility tools focused on those areas of the memory image that are mapped. In the event that data is not properly mapped, these tools would be unable to extract the data and present it properly. This is one of the drawbacks of these tools for memory analysis. There is a good deal of data that will become unstructured and invisible to these tools. This could be the case when network connections are shut down or processes are exited. Even though they may not show up when the RAM is examined via Redline or Volatility, trace evidence will often still be present.

One tool that is useful for extracting these traces is the strings command present in many of the Linux and Windows OSes. Strings allows a responder to search for human-readable strings of characters. Given a set of keywords or GREP (short for Global...

This chapter discussed two major topic areas of memory analysis. First is the data points available and the methodology that can be followed. In addition, several tools, such as Redline, Volatility, and Strings have been explored. In addition to an overview of these tools, several of their features have been explored. This only scratches the surface of the number of features each of these tools has to offer the incident response analyst. These tools, taken in conjunction with a methodology for analyzing system RAM, can give the analyst a powerful tool for determining if a system has been compromised. With malware becoming more advanced, including malware that executes entirely in RAM, it is critical that analysts incorporate memory analysis into their capability. Marrying these techniques with network evidence collection can provide analysts and their organizations with...

1. What are some of the data points that can be found via memory analysis?

A) Running processes
B) Network connection
C) Command history
D) All of the above

2. What is not part of the network connections methodology?

A) Process name
B) Parent process ID
C) Check for signs of a rootkit
D) Associated entities

3. Dumping files associated with a process will never introduce malware to a responder's system.

A) True
B) False

4. One of the primary goals of memory analysis is to acquire malicious processes or executables for further analysis.

A) True
B) False

• SANS Memory Forensics Cheat Sheet: https://digital-forensics.sans.org/blog/2017/12/11/updated-memory-forensics-cheat-sheet
• Redline User Guide: https://www.fireeye.com/content/dam/fireeye-www/services/freeware/ug-redline.pdf