Live systems are, in some cases, encountered during an investigation. However, the volatile data running in the computer’s memory could potentially contain important evidence. If the computer is powered off – the volatile data is lost. The volatile data could contain crucial information, such as encryption keys, passwords, network connections, recent commands, and malware infections. If parts of the hard drive (or single files/folders) have recently been encrypted/decrypted, the keys/passwords could be located in the volatile data. The overall system usage leaves significant traces in the computer’s memory.
Capturing the volatile data
There is a tremendous amount of software which can be used to capture the volatile data. Two of my personal favourites are FTK Imager Lite and Magnet RAM Capture. FTK Imager Lite is a standalone executable which can be run using, for example, a USB. This is preferred, as unnecessary installations on the targeted system will further contaminate the evidence. An important aspect is to also dump out the volatile data to an external device with enough storage. If the computer’s RAM is 16GB – then the memory dump will be equivalent.
The image above demonstrates how FTK Imager Lite is used to capture the computer’s memory. The output is set to an external hard drive. The targeted system is Windows 10 with 4GB RAM.
Analysing the RAM dump
When analysing the RAM dump there are a series of tools. Two personal favourites are Volatility and Rekall. In this article, Volatility will be used. However, there are a few ways to search through the memory dump manually as well.
strings is an excellent tool used to extract all human-readable strings from a file. This can be used on a variety of files, such as .img and .jpeg as well. The tool will extract the strings located inside the files. However, it can also be used on the memory dump, as shown in the image above. It can be combined with grep and regex to extract, for example, e-mails. If the investigator is looking for a known/specific pattern,
strings combined with regex is an excellent method.
volatility requires a user profile for it to work as intended. If the user does not remember what version of Windows 10 it is,
imageinfo can be used to query a suggested profile. However, this can be inaccurate in some cases. The Windows version can be located while conducting the memory capture. In Windows: open run with
WIN + R and type
winver. This will reveal the current Windows build.
netscan shows the active connections on the targeted system. This type of information would be significantly harder to obtain without the memory dump, as the information would be located in a variety of files. If an attacker had an active reverse shell on the system, it would in most cases get detected using this method. There are of course exceptions, such as rootkits. Malware could potentially also be detected using the
malfind option in
volatility. Overall, the listed connections could be used as evidence if the targeted system had a connection to a specific server or client.
cmdline displays the processed command-line arguments. This could be useless to map the user activity on the system.
Volatility has many other features as well, as shown in the image above. The framework is capable of dumping, for example, TrueCrypt keys and passphrases, listing the process tree, and view the system’s shutdown time.
Volatility is a tremendously large framework with many useful query options. Volatile data is valuable and contains, in many cases, irreplaceable data. Some of the many features
volatility has to offer is to view network connections, detect malware, view the process tree, and list previous command-line arguments. If possible, a memory capture should always be conducted before powering off the system. However, if the targeted system is using Full Disk Encryption (FDE) (or similar encryption methods), powering off the system might hinder the investigators from re-entering the file system. Therefore, capturing volatile data is a crucial aspect.