Basics Of Memory Forensics

What is Volatile Memory?

Volatile Memory is the memory used by the system or OS during the time the device is powered on. To put it simply, the data stored in RAM(Random Access Memory) can be called as volatile memory. It is also called the primary memory.

So, why do we need to analyze memory?

For this, I need you to focus on what a malware or a ransomware is. Well, its nothing but an unwanted, dangerous, unidentified process running in the system.

You can even call it a virus.

These viruses are only active when the device is switched on. So, these viruses always have a specific target from which they exploit data.

So, Let us look at an example of a virus called Stuxnet.

Stuxnet was a virus which was found lurking in the systems which controlled nuclear centrifuges in Iran. Stuxnet had a stolen yet officially authorised digital signature which acted as a very good camouflage. Stuxnet made the windows systems constantly reboot or lead them to Blue Screen of Death. Stuxnet could easily affect any computer which was linked to the network. It was really difficult for security experts to trace it. It severely affected the SCADA systems which were employed in maintaining the rotation speed of the centrifuges.

The special thing about this virus was that “It remained dormant” until it’s specific target was active.

So what does it tell us about this strange behaviour of Stuxnet?

We cannot detect it until and unless the device was switched on and all the processes were running. So this is the importance of analyzing volatile memory. You can always expect to find suspicious processes in it.

So How do we do that?

Simple. Dump the memory.

Well, how?

To dump your RAM, there are tools like FTK Imager, DumpIt etc., when we consider a windows system.

For Linux, there’s a command line tool called LiMe.

There are many online videos on how to dump memory for Linux systems. Talking about windows, the procedure is very easy and can be understood easily.

Follow me in the next blog on Volatility Framework to know the basic commands to analyze memory.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by WordPress.com.

Up ↑

Create your website at WordPress.com
Get started