What to use for RAM capture?

RAM Capture

RAM is one of the main components of a computer, and it is the memory in which all the instructions executed by the processor and other computer units are loaded. This memory is volatile, which means that when you turn off the computer and lose the power supply the information it contains is lost.

Due to this, in the evidence collection phase of forensic analysis, if one of the equipment is turned on, one of the processes to be performed will be to obtain a capture of its RAM for later study.

In the “hot” evidence acquisition process to acquire the RAM of a computer. In the same way, the steps to follow for its later analysis will be explained.

This process is related to the professional work of a computer expert who is asked to analyze a computer because it has been infected by malware or a disgruntled employee who is extracting confidential information.

The reason for calling it a hot purchase is related to volatile and non-volatile memory. RAM can only be acquired while the computer is turned on, once turned off it is impossible.

To simulate a real case, a hard disk with all the tools to be used was used. This good practice is used to avoid the modification of the RAM with the execution of the programs of the PC, do not know if these programs have been modified so that predetermined results are obtained

Dumplt

In the case of using DumpIt would be done from the Windows console:

In this case, FTK Imager has been used. To do this, create a new image, select the image format (EO1) and finally, the location where you want to save so that the RAM acquisition begins.

To respect the chain of custody, a hash of the RAM dump is performed. Tools such as Winhex or Hash files can be used for this.

Once the RAM has been acquired on an external device, it is analyzed. The Volatility tool will be used to analyze the RAM dump, as well as to obtain data from it.

Important: Volatility has its executable but it is recommended to use the python version, so you can “play” and it looks more powerful. When using python with Volatility, it is necessary to download and install its dependencies through precompiled libraries.

FTK Imager

AccessData’s FTK Imager is a tool for replicating and previewing data, which allows a quick evaluation of electronic evidence to determine whether further analysis is warranted with a forensic tool such as the AccessData Forensic Toolkit. FTK Imager can also create perfect copies (forensic images) of computer data without making changes to the original evidence.

It is important to mention the use of a write blocker when using FTK Imager to create a forensic image from a hard drive or another electronic device. This ensures that the operating system will not alter the source drive when attached to the computer.

Once we clicked on the “capture memory” option in the next window all the options will appear, they are quite clear, we give a path and a name, and that’s it!

An extra option that is presented to us and that I personally include is that the dump includes the file pagefile — Sys since there is a world of information that can be parcel within this file.

As simple as to indicate the direction in which our forensic image of the RAM will be created and to generate! in the same way as it was done with Dumpit, the generated file must be signed to preserve the integrity of the file.

Belkasoft RAM Capturer for Forensics

Belkasoft Live Ram Capturer is a small forensic utility that allows us to extract the entire content of our volatile memory – even if an anti-purge and anti-capture system protect us. There are 32-bit and 64-bit versions that are designed to minimize the size of each package.

Memory dumps or “captures” with Belkasoft Live Ram Capturer can be analyzed with Belkasoft Evidence Center. The RAM Capturer is compatible with any version of Windows including XP, Vista, Windows 7 and 8, 2003 and 2008 Server.

To extract this ephemeral data out of system memory, forensic experts must employ appropriate analysis software such as Belkasoft Evidence Center. Other tools such as the Elcomsoft Forensic Disk Decryptor are also used to extract passwords from encrypted volumes.

elkasoft has minimal impact on the system memory as it requires no installation and can be run quickly from an external USB drive. It comes equipped with both 32-bit and 64-bit Kernel versions ensuring compatibility. One of the problems traditionally offered by memory dump analysis programs is the alteration they produce on the memory, altering -although minimally- its content, which causes in many cases that the results are not accepted as evidence.

Mandiant Redline

Mandiant Redline allows us to create a “collector” of memory which we can configure depending on the needs of our cases, in my laboratory we have more than one collector available.

Redline also allows us to perform live memory analysis, but we’ll see that in another post, for now, we’ll concentrate on how to create a collector.

Redline gives us the option to create two types of collectors:

  • A standard collector which allows us to get the information we need to perform a memory focused analysis.
  • An integral collector who by default has selected almost all the options of the information that Redline can obtain, the only option that is not included is to obtain strings, selecting this option will considerably increase the time it took the tool to dump the memory.

Once you have selected the type of collector you will see the following screen:

In this screen you have the opportunity to select “Acquire Image Memory”, this is because the Redline collector will generate a folder with the name “Sessions\AnalysisSession1″ and inside a file with extension “. mans” which can only be opened in Redline but if we wanted to check our memory in some other software such as Volatility or Rekall we would need a raw image.

We can see the options to configure in our collector by clicking on “Edit your script”, in the image we see the options for an integral collector and I’m not going to put an image of each of the tabs available is just to know that here can be configured that we want Redline to get when running the collector.

Finally in this window there is an option in the upper right corner that says “Show Advanced Parameters” this option I have used when I will scan the universe of systems in my network by a process that I know is malicious and I want to verify if it is present in some other system, since this option allows you to specify things like the PID and Process Name.

Once the collector is configured we give it a path and a folder will be generated with the following content:

Winpmem

This tool does not allow us as much configuration as Redline, but if it offers greater speed regarding memory acquisition and a couple of extra options that make it a fascinating tool, Rekall not only offers a memory acquisition tool but is also a framework for analyzing the dumps we do … It’s like Volatility, however, in this post, we will not go into details of the analysis of the dumps.