SlideShare uma empresa Scribd logo

Memory Forensics

n|u - The Open Security Community
n|u - The Open Security Community

null Mumbai Chapter Meet - December 2013

EducaçãoTecnologia
1 de 18
Baixar para ler offline
आज का आहार Memory Forensics Varun Nair @w3bgiant
#whoami O Security enthusiast. O For food and shelter, I work with ZEE TV O For living, I learn 4N6, Malwares and Reverse Engineering O Recent developments: O Chapter lead at Null, Mumbai chapter.
If you listen!!!!! O Forensics Fundamentals O Action Plan O Order of Volatility O Methodologies O Dead Forensics O Live Forensics O Demo
ELSE!!!!
Forensics Fundamentals O Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. O "Gathering and analysing data in a manner as free from distortion or bias as possible to reconstruct data or what happened in the past on a system [or a network]“ -Dan Farmer / Wietse Venema
Action Plan- First Response Arrive on Crime scene Machine state = OFF DEAD FORENSICS Machine state = ON LIVE FORENSICS
Order of Volatility MOST ….. LEAST • CPU, cache and register content • Routing table, ARP cache, process table, kernel statistics • Memory • Temporary file system / swap space •Data on hard disk •Remotely logged data •Raw Disk Blocks
Forensics Methodologies O “LIVE” Forensics O “DEAD” Forensics
DEAD FORENSICS O The dead analysis is more common to acquire data. O A dead acquisition copies the data without the assistance of the suspect’s (operating) system. O Analysing a “dead” system that has had it’s power cord pulled.
DEAD FORENSICS O During data acquisition an exact (typically bitwise) copy of storage media is created. O Least chance of modifying data on disk, but “live” data is lost forever.
LIVE FORENSICS O Focuses on extracting and examination of the volatile forensic data that would be lost on power off O A live acquisition copies the data using the suspect’s (operating) system O Live forensics is not a “pure” forensic response as it will have minor impacts to the underlying machine’s operating state – The key is the impacts are known
LIVE FORENSICS O Often used in incident handling to determine if an event has occurred O May or may not proceed a full traditional forensic analysis O If you work on a suspect’s system you should boot/use trusted tools (e.g. CD, USB stick):
LIVE FORENSICS THE IMAGE WILL HAVE NO AUTHENTICITY No two images can have the “same hash value”
Forensic Response Principles – Maintain forensic integrity – Require minimal user interaction – Gather all pertinent information to determine if an incident occurred for later analysis - Enforce sound data and evidence collection
Methodology ACQUIRE CONTEXT ANALYSE •Capture RAM Memory •Find Memory Offsets and establish contexts •Analyse data and recover evidence
In MEMORY data?? O Current running processes and terminated processes. O Open TCP/UDP ports/raw sockets/active connections. O Caches O -Web addresses, typed commands, passwords, clipboards, SAM databases, edited files. O Memory mapped files O -Executable, shared, objects(modules/drivers), text files.
DEMO O Collecting Memory dumps: DUMPIT by MOONSOLS O Analysing Memory dumps: WinHex and Volatility Framework 2.3
और कोई सवाल

Recomendados

Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
Email investigation
Email investigationEmail investigation
Email investigation
Animesh Shaw
 
Incident response
Incident responseIncident response
Incident response
Anshul Gupta
 
Incident response process
Incident response processIncident response process
Incident response process
Bhupeshkumar Nanhe
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 

Recomendados

Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
Email investigation
Email investigationEmail investigation
Email investigation
Animesh Shaw
 
Incident response
Incident responseIncident response
Incident response
Anshul Gupta
 
Incident response process
Incident response processIncident response process
Incident response process
Bhupeshkumar Nanhe
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Mithileysh Sathiyanarayanan
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
Data recovery power point
Data recovery power pointData recovery power point
Data recovery power point
tutannandi
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
Piyush Jain
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
Anshul Tayal
 
computer forensics
computer forensicscomputer forensics
computer forensics
Akhil Kumar
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Vikas Jain
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
deaneal
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
vishnuv43
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Handling digital crime scene
Handling digital crime sceneHandling digital crime scene
Handling digital crime scene
SKMohamedKasim
 
Digital&computforensic
Digital&computforensicDigital&computforensic
Digital&computforensic
Rahul Badekar
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
Filip Maertens
 
Data recovery
Data recoveryData recovery
Data recovery
Mir Majid
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
9905234521
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Nicholas Davis
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
Shreya Singireddy
 
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014
Muzzammil Wani
 

Mais conteúdo relacionado

Mais procurados

Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
computer forensics
computer forensicscomputer forensics
computer forensics
Akhil Kumar
 

Mais procurados (20)

Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
 
Data recovery power point
Data recovery power pointData recovery power point
Data recovery power point
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Handling digital crime scene
Handling digital crime sceneHandling digital crime scene
Handling digital crime scene
 
Digital&computforensic
Digital&computforensicDigital&computforensic
Digital&computforensic
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 
Data recovery
Data recoveryData recovery
Data recovery
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 

Semelhante a Memory Forensics

computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Criminalistics DB3NameClassDatePro.docx
Criminalistics DB3NameClassDatePro.docxCriminalistics DB3NameClassDatePro.docx
Criminalistics DB3NameClassDatePro.docx
faithxdunce63732
 
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02
Wayne Norris
 
ResearchPaperITDF2435
ResearchPaperITDF2435ResearchPaperITDF2435
ResearchPaperITDF2435
Manuel Garza
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
yash sawarkar
 

Semelhante a Memory Forensics (20)

Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014
 
PACE-IT, Security+ 2.4: Basic Forensic Procedures
PACE-IT, Security+ 2.4: Basic Forensic ProceduresPACE-IT, Security+ 2.4: Basic Forensic Procedures
PACE-IT, Security+ 2.4: Basic Forensic Procedures
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Automated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionAutomated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data Acquisition
 
N.sai kiran IIITA AP
N.sai kiran IIITA APN.sai kiran IIITA AP
N.sai kiran IIITA AP
 
CS426_forensics.ppt
CS426_forensics.pptCS426_forensics.ppt
CS426_forensics.ppt
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Criminalistics DB3NameClassDatePro.docx
Criminalistics DB3NameClassDatePro.docxCriminalistics DB3NameClassDatePro.docx
Criminalistics DB3NameClassDatePro.docx
 
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02
TheInternetOfEvidence(tm)-LittleBrotherIsWatchingYou-AndHe'sTakingNotes!-02
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
Sujit
SujitSujit
Sujit
 
ResearchPaperITDF2435
ResearchPaperITDF2435ResearchPaperITDF2435
ResearchPaperITDF2435
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Digital Forensics Workshop
Digital Forensics WorkshopDigital Forensics Workshop
Digital Forensics Workshop
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
 
Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation Debian Linux as a Forensic Workstation
Debian Linux as a Forensic Workstation
 
3871778
38717783871778
3871778
 
File000129
File000129File000129
File000129
 

Mais de n|u - The Open Security Community

Mais de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Último

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 

Último (20)

How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 

Memory Forensics

  • 1. आज का आहार Memory Forensics Varun Nair @w3bgiant
  • 2. #whoami O Security enthusiast. O For food and shelter, I work with ZEE TV O For living, I learn 4N6, Malwares and Reverse Engineering O Recent developments: O Chapter lead at Null, Mumbai chapter.
  • 3. If you listen!!!!! O Forensics Fundamentals O Action Plan O Order of Volatility O Methodologies O Dead Forensics O Live Forensics O Demo
  • 5. Forensics Fundamentals O Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. O "Gathering and analysing data in a manner as free from distortion or bias as possible to reconstruct data or what happened in the past on a system [or a network]“ -Dan Farmer / Wietse Venema
  • 6. Action Plan- First Response Arrive on Crime scene Machine state = OFF DEAD FORENSICS Machine state = ON LIVE FORENSICS
  • 7. Order of Volatility MOST ….. LEAST • CPU, cache and register content • Routing table, ARP cache, process table, kernel statistics • Memory • Temporary file system / swap space •Data on hard disk •Remotely logged data •Raw Disk Blocks
  • 8. Forensics Methodologies O “LIVE” Forensics O “DEAD” Forensics
  • 9. DEAD FORENSICS O The dead analysis is more common to acquire data. O A dead acquisition copies the data without the assistance of the suspect’s (operating) system. O Analysing a “dead” system that has had it’s power cord pulled.
  • 10. DEAD FORENSICS O During data acquisition an exact (typically bitwise) copy of storage media is created. O Least chance of modifying data on disk, but “live” data is lost forever.
  • 11. LIVE FORENSICS O Focuses on extracting and examination of the volatile forensic data that would be lost on power off O A live acquisition copies the data using the suspect’s (operating) system O Live forensics is not a “pure” forensic response as it will have minor impacts to the underlying machine’s operating state – The key is the impacts are known
  • 12. LIVE FORENSICS O Often used in incident handling to determine if an event has occurred O May or may not proceed a full traditional forensic analysis O If you work on a suspect’s system you should boot/use trusted tools (e.g. CD, USB stick):
  • 13. LIVE FORENSICS THE IMAGE WILL HAVE NO AUTHENTICITY No two images can have the “same hash value”
  • 14. Forensic Response Principles – Maintain forensic integrity – Require minimal user interaction – Gather all pertinent information to determine if an incident occurred for later analysis - Enforce sound data and evidence collection
  • 16. In MEMORY data?? O Current running processes and terminated processes. O Open TCP/UDP ports/raw sockets/active connections. O Caches O -Web addresses, typed commands, passwords, clipboards, SAM databases, edited files. O Memory mapped files O -Executable, shared, objects(modules/drivers), text files.
  • 17. DEMO O Collecting Memory dumps: DUMPIT by MOONSOLS O Analysing Memory dumps: WinHex and Volatility Framework 2.3