How to discover ephemeral evidence with Live RAM analysis.

Slides:

Advertisements

Similar presentations

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.

Advertisements

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Effective Discovery Techniques In Computer Crime Cases.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Belkasoft Acquisition and Analysis Suite.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University

CMPTR1 CHAPTER 3 COMPUTER SOFTWARE Application Software – The programs/software/apps that we run to do things like word processing, web browsing, and games.

Information Technology, the Internet, and You © 2013 The McGraw-Hill Companies, Inc. All rights reserved.Computing Essentials 2013.

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Capturing Computer Evidence Extracting Information.

Hands-on: Capturing an Image with AccessData FTK Imager

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

Attendee overview 1 Joining a Redback Webinar. Before the Webinar Getting organised It’s always a good idea to ensure you are prepared well in advance.

eScan Total Security Suite with Cloud Security

Introduction to Computers Connie Dalrymple. What is a computer? Sources:

Microsoft Office 2010 Introduction to Computers and How to Purchase Computers and Mobile Devices.

MASNET GroupXiuzhen ChengFeb 8, 2006 CSCI388 Project 1 Crack the WEP key Liran Ma Department of Computer Science The George Washington University

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

GENERAL COMPUTER Jeopardy ABCDE Points A What is this? Go back.

Mac OS Lion Memory Forensics Using IEEE 1394 to Bypass FileVault 2 Full Volume Encryption. Todd Garrison September 18, 2011.

systemhound © Raxco Software Belgium systemhound PC inventory software.

COEN 252 Computer Forensics

How to make your investigation more complete in less time.

Protecting Your Information Assets

COEN 252 Computer Forensics Collecting Network-based Evidence.

Chapter 1 1.  The computer system consists of: 1. Hardware: Physical Components, like the system unit,monitor,keyboard, mouse, camera, printer … etc.

Protecting Data on Smartphones and Tablets from Memory Attacks

CARNIVORE And Other Computer Spy Programs. What is Carnivore? Carnivore helps the FBI conduct ‘wiretaps’ on Internet connections. Carnivore is a computer-based.

Lecture 2 Title: Computer Software By: Mr Hashem Alaidaros MIS 101.

Chapter Six Maintaining a Computer Part II: Installing, Repairing, and Removing Applications.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.

Supporting Windows 9x Chapter 12 Key Terms By Bill Ward.

Getting To Know Computers COMPUTER BASICS. WHAT IS A COMPUTER? A computer is an electronic device that manipulates information, or “data.” It has the.

1.00 Computer Basics 1.01 Classify computer component. 1 Primary sources of information and images: GCFLearnFree.org, Microsoft Digital Learning E-Learning.

 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.

Hardware/Software Basics Test

1 REMOTE CONTROL SYSTEM V7 2 Introduction.

Hands-On Virtual Computing

LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.

5 th October 2004Hardware – KS41 Hardware Objectives: Computer systems  What do they do?  Identify the hardware that makes up a computer system (PC)

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

Hardware/Software Basics Test Get out your DIY Test Review.

Virtual Machines Module 2. Objectives Define virtual machine Define common terminology Identify advantages and disadvantages Determine what software is.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Why is my computer so slow? Find Reason and How You can Speed up Your Computer.

Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.

Sniper Corporation. Sniper Corporation is an IT security solution company that has introduced security products for the comprehensive protection related.

Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.

18-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein.

There are many leading online sources that are providing reliable encryption solution for your online as well as offline file security through smart software.

Intro to Digital Technology Review for Final Introduction to Digital Technology Finals Seniors Monday, 5/16 – 2 nd Tuesday 5/17 – 1 st,3 rd Underclassmen.

Nat 4/5 Computing Science Software

Chapter Objectives In this chapter, you will learn:

SRA Memory Grabber Product Description.

LINUX WINDOWS Vs..

Virtualization, Cloud Computing and Big Data

LINUX WINDOWS Vs..

CHFI & Digital Forensics [Part.1] - Basics & FTK Imager

What is an operating system An operating system is the most important software that runs on a computer. It manages the computer's memory and processes,

Presentation transcript:

how to discover ephemeral evidence with Live RAM analysis

 Standard practice until very recently  Many types of evidence lost ◦ Communications in social networks ◦ Data on running processes ◦ Open network connections ◦ Access to encrypted volumes ◦ Many-many more  1-8 Gb of potential evidence!

 Essential for discovering important evidence  Should become a standard procedure

 Running processes and services  System information ◦ e.g. time lapsed since last reboot  Information about logged users  Registry information  Open network connections  ARP cache  Remnants of Instant Messenger chats  Communications in social networks  MMORPG games chats

 Recent Web browsing activities ◦ including InPrivate modes and similar  Recent communications via Webmails  Information from cloud services  Decryption keys for encrypted volumes  Recently viewed pictures  Running malware and trojans

 Ephemeral nature of evidence  Memory is gone in seconds  Only the most recent data (e.g. Facebook chats)

 Careful assessment of risk vs. potential benefits  Capturing a memory dump for off-line analysis  Continuing with live box analysis ◦ If you know why (e.g. secure VPN connections) ◦ If you evaluated the risks  Memory dump is then analyzed on investigator’s PC

Official ACPO Guidelines for capturing memory dumps:  Perform a risk assessment of the situation  Install a capture device (e.g. USB flash drive)  Run collection script  Once complete, stop the device  Remove the device  Verify the output on a separate forensic investigation machine ◦ not the suspect system!  Immediately follow with standard power-off procedure.

There are certain strict requirements for tools used for acquiring memory dumps:  Kernel-mode operation  Smallest footprint possible  Portability  Read-only access

 What is kernel-mode?  Why is that needed? ◦ Proactive RAM protection  What if a tool uses user-mode? ◦ Zeroes instead actual memory ◦ Faked memory ◦ Destroying evidence ◦ Locking or rebooting computer

 FTK Imager  PMDump  Both run in user mode  Test your current memory dumping tool!

 Karos: popular multi-user online game

 Made some Karos chats, created RAM dump  FTK Imager: all zeroes  PMDump: no Karos chats found  Belkasoft Live RAM Capturer: all chats perfectly found

 Loading capturer application requires RAM memory ◦ Potentially overwriting evidence or important data  Thus, smallest footprint is desired

 Tool should be able to run from a thumb drive  No installation allowed  No third-party libraries should be counted on

 All data should be stored to a removable device  Collected data must fit No using 8 GB pen drives for acquiring 8 GB RAM  No data alterations allowed on suspect’s machine

 Small free utility satisfying all forensic requirements

 Both 32 and 64 bit versions available  Tiny:140 KB (32-bit) and 167 KB (64-bit)  Runs in kernel mode  Portable  Read-only  Successfully passes the “Karos test”

 Technique to capture RAM from another machine ◦ Does not affect source computer memory  Exploits a known security issue ◦ Issue exists in all three main OS’es (though patches are known)  Based on DMA (direct memory access)

 FireWire drivers are not disabled ◦ Mac OS disables them when OS is locked  FireWire port exists  Or special hardware inserted ◦ PCMCIA card ◦ CardBus ◦ ExpressCard See memory-attacks-via-firewire-dma-part-1- overview-and-mitigationhttp:// memory-attacks-via-firewire-dma-part-1- overview-and-mitigation

 Recent experiment  Attack to encrypted smartphone memory  Use ordinary freezer to slow down RAM leak  Cooled phone is reset in fastboot mode ◦ Then special FROST software used  Result: ◦ encryption keys found ◦ RAM memory captured ◦ lock screen keys cracked

 No all-in-one silver bullet so far  Belkasoft Evidence Center ◦ Finds chats, browsers, webmails, P2P, MMORPG, social networks remnants and many more  Elcomsoft Forensic Disk Decryptor ◦ Extracts decryption keys for encrypted volumes  Passware Kit Forensic ◦ Extracts decryption keys for encrypted volumes ◦ Captures RAM using Firewire attack

 Leave me your business card  Come visit us at our booth and leave your address Also  Write us to  Attend our FREE webinar at

 Completely FREE fully featured one-month license for conference attendees!  More info at

 Live RAM Capturer is free, Evidence Center is a commercial product  For all order-related questions please visit  or contact us by sending an to