This Wednesday I’m going to give a 20 minutes presentation about Live Forensics with a focus on Memory Forensics.
I know it may sound a bit strange but I’ve heard about Death by PowerPoint so many times that I decided to run it differently: I asked students to read a chapter 3 from Harlan Carvey’s book WFA 2e and to read the slides before turning up for the lecture, and then I’ll do a ‘Questions and Answers’ session followed by a demo.
The slides can be found here and this is the list of ideas for the conversation:
- When? 2005, DFRWS (digital forensics research workshop)
- Why? Passwords/encryption keys, hidden stuff by rootkits, encrypted/obfuscated malware
- What’s the order of live forensics? Why is imaging memory the first? What was the Locard’s Exchange Principle about, again?
- Halt a process/system when imaging?
- Other copies of memory? Hibernation, crash dump, swap space.
- What is virtual memory?
- What is the default size of a page in memory? 4KB (4096 bytes)
- What’s wrong with \Device\PhysicalMemory? When did it happen?
- Are there any other methods?
- The limit of collecting up to 4GB of RAM?
- Some tools may skip the page file. What it means? Why? The switch ‘-page’.
- F-Response, completely different approach. Why?
- Hardware ways of dumping memory? What does PCI stand for? Payment Card Industry? NOT!
- What about cloud computing?
- How to generate a crash dump? What happens behind the scenes? What’s the size limit? What are the two requirements? What are the concerns?
- Is RAM wiped at boot?
- Digital Corpora Project. http://digitalcorpora.org/
- Offensive Computing, over 3mln malware samples. http://www.offensivecomputing.net/
By the way, can anyone tell me what does ‘PFN Mapping’ in Win32dd do?
Update (05 Nov 2011): Firstly, a demo of using Cryptoscan v2.0 is now available on YouTube. Secondly, I've received an answer to the question above (thanks to Andrew Case): supposedly, this technique doesn't rely on Windows API and hence, the memory footprint is smaller. Andrew also explained that PFN Mapping "enumerates all the physical pages of RAM (non-hardware addresses) and then reads and writes them out directly."