Windows Volatile Memory Acquisition & Forensics 2018 | Lucideus Forensics

“Exploring volatile memory (RAM) acquisition techniques, data extraction & other forensic techniques for Windows based Operating Systems”

Introduction

Digital forensic investigation depends primarily on the data stored in the storage media along with the primary storage the most crucial part of investigation is gathering volatile memory. Volatile memory or random access memory stores information such as running process, incognito browsing sessions, clipboard data , information stored in plain text files and much more.

In case of any malware attack or suspicious activity, capturing volatile memory becomes essential as it stores the running process and services information. To perform complete system malware analysis, it is essential to capture running process information, services, system service behavior, registry updations, network traffic and other crucial information.

Why Gather Volatile Memory

Volatile memory contains the following system artifacts which gets lost when the device is restarted or shut down. The following artifacts can be expected out of the volatile memory acquisition process:

1. System Process
2. Running services
3. Clipboard Information
4. Browsing Sessions (Incognito Sessions)
5. Passwords
6. Accessed Files and Multimedia
7. Chats/Running Application stored data

When to Acquire Volatile Memory

During an incident response, an investigator has to analyze the suspected machines and the profitability of capturing live ram. Device has to be unlocked authentically and RAM dumping modules has to be loaded according to the host operating system. A USB flash memory of around 64 GB or higher has to be utilized and created with RAM dumping modules to minimize the digital footprints of acquisition.

The steps for acquisition are as follows:

1. Determine the state of the machine
2. Identify the operating system
3. Check for authentic device access
4. Insert acquisition media
5. Perform Volatile Memory Dump
6. Collect SWAP, PAGEFILE.sys and system protected files
7. Hash and verify the acquired files
8. Create Investigator copies

Understanding Process Limitations

Limitations in volatile memory acquisitions are plenty, it completely depends on the scenario and machine’s state . A locked machine with limited access cannot be utilized for volatile memory analysis . The unlocking procedure will create changes to the system data and can cause system instability.

For mobile device platforms, the volatile memory dump is available only for the devices having administrative access or privileges in simple terms, device has to be rooted or jailbroken. The Memory dump is specific to the user account it has been accessed with, the RAM contents are available for only the logged in user.

Memory Acquisition Procedure

Memory acquisition depends on the operating system of the host system different acquisition module is required for independent operating system. The following procedure explains the procedure of acquiring volatile memory from windows OS:

Pre- Acquisition Process

To acquire volatile memory of windows OS based system, investigator needs to ensure the following measures:

1.Host machine should not be connected to any external network

- Disconnect LAN/WIFI/Bluetooth connections by putting the device in airplane mode

- Ensure the device is unlocked without installing any password bypassing module

2. Remove any external connected devices

3. Host machine should be connected to a stable power source

Windows memory management stores volatile memory in multiple ways, an investigator needs to acquire the following volatile information for proper volatile memory acquisition:

Pagefile.sys

Pagefile is a paging file which windows uses to store virtual memory contents. Pagefile is utilized when windows runs out of physical RAM memory it resorts to storing memory contents on the disk. The file stays hidden and protected.

Hiberfil.sys

Hiberfil.sys is created when windows hibernation is enabled. It stores volatile memory contents when the system needs to enter or has entered hibernation. Hiberfil is available on windows 8 and above with hibernation enabled systems. The file stays hidden and protected.

Swapfile.sys

Swapfile is used to store the idle and non active process data . Whenever user tries to access the idle process, the information is again transferred to RAM. The file stays hidden and protected.

Acquisition Process

To perform acquisition we need to dump the memory contents to file along with other on-disk virtual memory storage files. Tools such as Access Data FTK Imager lite,dumpit ,Lime, etc. comes handy for precise acquisition process.

Things to Watch Out for:

Acquisition module should be executed from an external device

The memory dump should be stored in an external drive

Always hash the acquired data for integrity

Ensure external drive has adequate free space calculating pagefile, hiberfil, swapfile and memory dump.

Steps of Acquisition

1.Mount the external drive consisting the memory acquisition module

2.Execute FTK Imager Lite on the host machine

3. Goto File>Capture Memory and enter the memory capturing module. Enter the destination location where you want to store the memory contents:

Volatile Memory Capture Details

a)FTK helps you to acquire system RAM dump and pagefile.sys

b)AD1 image file contains memory dump and pagefile

c)FTK creates MD5 and SHA 256 checksum hashes and stores acquisition starting & ending time

4. Acquire Hiberfil.sys & Swapfile.sys from the local disk storage

- Use FTK to traverse local system root

- Hiberfil and Swapfile are system files hence direct file transfer won’t work

- Traverse Windows OS drive & locate hiberfil and swapfile

- Create a custom content image AD1 file

Traversing Hiberfil and Swapfile | Add to Custom Content Image

e) Custom content image files are located on the Custom Content Sources pane

Custom Content Image Files

f) Enter the evidence information according to the case description

Evidence Item Information

g) Create Image and store the image file in the destination drive

Image Destination, Fragment Size and Encryption information

1) Use Image fragmentation to avoid glitches while copying image file to legacy file systems

2) Always use encryption to protect the image files

3) Use image filenames in barcode fashion to avoid usage of complicated file names

Image Creation Process

h) Image Verification is necessary to ascertain the integrity of the acquired files

Image Verification Results

Data Extraction

• Post acquisition process, information from the acquired images and system files should be extracted and categorized. Forensic utilities such as Access Data FTK, Encase, Magnet AXIOM helps to decrypt the unstructured memory we acquired .
• The utilities extract and categorize the information automatically, However we would be using open source utility such as volatility framework for specific extraction.

Using Volatility

Volatility — Open Source Memory Forensics helps to extract specific information from the memory dumps. In this example we would be extracting information from the acquired memory.

Step 1 :Imageinfo

Extract the profile information using which volatility would recognize and use the plugins on the memory dump.

Volatility Image profile KDBG — Windows Kernel Debugging Search

Step 2 :Pslist

Identifying the running process by using pslist command:

Command Usage

\Image>volatility.exe -f memdump.mem — profile=Win7SP0x86 pslist(Determined Profile) psslist

Investigator can also output the information in a text file using the following command

\Image>volatility.exe -f memdump.mem — profile=Win7SP0x86 pslist(Determined Profile) psslist >MEMPSSLIST.txt

Volatility — Process List Extraction

Step 3 : Psscan

Listing Hidden or terminated process:

Command Usage:

\Image>volatility.exe -f memdump.mem — profile=Win7SP0x86 pslist(Determined Profile) psscan >MEMPSSCAN.txt

Lists all the hidden or terminated processes

Volatility — Process Scan Result

A cheatsheet is available for list of commands, usage and information using plugin commands: https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf

Observations :

Investigator can extract crucial information related to the following artifacts:

• Process Information
• PE and File Extraction
• Injected Code
• Processes Listings
• Networking Information
• Logs/ Histories
• Kernel Memory and Objects
• Registry
• Password Recovery
• Malware Specific
• GUI Memory

Browsing Sessions and Image caches can be extracted by performing signature based searching

• Browsing Session : Google Search, Search Term : the pirate bay

Google Search Query & URL

• Browsing Session: Domain: thepiratebay, Search Term : bluestacks rooted

Torrent Search Query & URL

TOR Dark Web visited website traces

• Extracted Media : JPG Image File
• - JPEG Image Found with metadata information such as created with Photoshop

• Clipboard Stored Information — Clipboard Drag and Drop Information

Temporary Clipboard Storage : Text Dragged and Dropped

Conclusion

• Volatile memory acquisition is risky yet possess a lot of useful information which can trace back the footprints left behind during an activity
• Memory acquisition procedure requires close examination of the system stability and presence of acquirable evidence
• Windows Memory acquisition procedure can also cause the machine to enter Blue Screen of Death crash . It is always advised for an investigator to cross examine the device for stability
• Memory capturing modules leave minimal footprints and also consume system resources
• Crucial information related to Malware behavior, Dark Web sessions, anti-forensics software usage, passwords, clipboard stored data and social media chat information is obtained from volatile memory acquisition.