Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to discover ephemeral evidence with Live RAM analysis.

Published byClement Newman Modified over 9 years ago

Similar presentations

Presentation on theme: "How to discover ephemeral evidence with Live RAM analysis."— Presentation transcript:

1 how to discover ephemeral evidence with Live RAM analysis

2  Standard practice until very recently  Many types of evidence lost ◦ Communications in social networks ◦ Data on running processes ◦ Open network connections ◦ Access to encrypted volumes ◦ Many-many more  1-8 Gb of potential evidence!

3  Essential for discovering important evidence  Should become a standard procedure

4  Running processes and services  System information ◦ e.g. time lapsed since last reboot  Information about logged users  Registry information  Open network connections  ARP cache  Remnants of Instant Messenger chats  Communications in social networks  MMORPG games chats

5  Recent Web browsing activities ◦ including InPrivate modes and similar  Recent communications via Webmails  Information from cloud services  Decryption keys for encrypted volumes  Recently viewed pictures  Running malware and trojans

6  Ephemeral nature of evidence  Memory is gone in seconds  Only the most recent data (e.g. Facebook chats)

7  Careful assessment of risk vs. potential benefits  Capturing a memory dump for off-line analysis  Continuing with live box analysis ◦ If you know why (e.g. secure VPN connections) ◦ If you evaluated the risks  Memory dump is then analyzed on investigator’s PC

8 Official ACPO Guidelines for capturing memory dumps:  Perform a risk assessment of the situation  Install a capture device (e.g. USB flash drive)  Run collection script  Once complete, stop the device  Remove the device  Verify the output on a separate forensic investigation machine ◦ not the suspect system!  Immediately follow with standard power-off procedure.

9 There are certain strict requirements for tools used for acquiring memory dumps:  Kernel-mode operation  Smallest footprint possible  Portability  Read-only access

10  What is kernel-mode?  Why is that needed? ◦ Proactive RAM protection  What if a tool uses user-mode? ◦ Zeroes instead actual memory ◦ Faked memory ◦ Destroying evidence ◦ Locking or rebooting computer

11  FTK Imager  PMDump  Both run in user mode  Test your current memory dumping tool!

12  Karos: popular multi-user online game

13  Made some Karos chats, created RAM dump  FTK Imager: all zeroes  PMDump: no Karos chats found  Belkasoft Live RAM Capturer: all chats perfectly found

14  Loading capturer application requires RAM memory ◦ Potentially overwriting evidence or important data  Thus, smallest footprint is desired

15  Tool should be able to run from a thumb drive  No installation allowed  No third-party libraries should be counted on

16  All data should be stored to a removable device  Collected data must fit No using 8 GB pen drives for acquiring 8 GB RAM  No data alterations allowed on suspect’s machine

17  Small free utility satisfying all forensic requirements http://forensic.belkasoft.com/en/ram-capturer

18  Both 32 and 64 bit versions available  Tiny:140 KB (32-bit) and 167 KB (64-bit)  Runs in kernel mode  Portable  Read-only  Successfully passes the “Karos test”

19  Technique to capture RAM from another machine ◦ Does not affect source computer memory  Exploits a known security issue ◦ Issue exists in all three main OS’es (though patches are known)  Based on DMA (direct memory access)

20  FireWire drivers are not disabled ◦ Mac OS disables them when OS is locked  FireWire port exists  Or special hardware inserted ◦ PCMCIA card ◦ CardBus ◦ ExpressCard See http://www.hermann-uwe.de/blog/physical- memory-attacks-via-firewire-dma-part-1- overview-and-mitigationhttp://www.hermann-uwe.de/blog/physical- memory-attacks-via-firewire-dma-part-1- overview-and-mitigation

21  Recent experiment  Attack to encrypted smartphone memory  Use ordinary freezer to slow down RAM leak  Cooled phone is reset in fastboot mode ◦ Then special FROST software used  Result: ◦ encryption keys found ◦ RAM memory captured ◦ lock screen keys cracked

22  No all-in-one silver bullet so far  Belkasoft Evidence Center ◦ Finds chats, browsers, webmails, P2P, MMORPG, social networks remnants and many more  Elcomsoft Forensic Disk Decryptor ◦ Extracts decryption keys for encrypted volumes  Passware Kit Forensic ◦ Extracts decryption keys for encrypted volumes ◦ Captures RAM using Firewire attack

23

24  Leave me your business card  Come visit us at our booth and leave your email address Also  Write us to contact@belkasoft.comcontact@belkasoft.com  Attend our FREE webinar at http://belkasoft.com http://belkasoft.com

25  Completely FREE fully featured one-month license for conference attendees!  More info at http://belkasoft.com/trialhttp://belkasoft.com/trial

26  Live RAM Capturer is free, Evidence Center is a commercial product  For all order-related questions please visit www.belkasoft.com www.belkasoft.com  or contact us by sending an email to contact@belkasoft.com contact@belkasoft.com

27

Download ppt "How to discover ephemeral evidence with Live RAM analysis."

Similar presentations

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Www.belkasoft.com Belkasoft Acquisition and Analysis Suite.

Belkasoft Acquisition and Analysis Suite.
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University

Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University
CMPTR1 CHAPTER 3 COMPUTER SOFTWARE Application Software – The programs/software/apps that we run to do things like word processing, web browsing, and games.

CMPTR1 CHAPTER 3 COMPUTER SOFTWARE Application Software – The programs/software/apps that we run to do things like word processing, web browsing, and games.
Information Technology, the Internet, and You © 2013 The McGraw-Hill Companies, Inc. All rights reserved.Computing Essentials 2013.

Information Technology, the Internet, and You © 2013 The McGraw-Hill Companies, Inc. All rights reserved.Computing Essentials 2013.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.

 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.

Similar presentations

Ads by Google