7 - Memory Analysis

Question 1

Memory forensics

Answer 1

Dump and Analyze the RAM

Question 2

Volatility framework

Answer 2

List processes, API hooks

Question 3

Approaches to memory reconstruction

Answer 3

Tree and list traversal

Object fingerprint/pattern searches

Question 4

Tree and list traversal

Answer 4

Find index into lists and tables of interesting structure and follow them through to reconstruct the data
Can stitch together more related records
Can miss unlinked, dead structures

Question 5

Fingerprint/pattern searches

Answer 5

Search for relevant patterns in memory
Finds unlinked, dead structures and can work with imperfect dumps
Less context and susceptible to rubbish

Question 6

Acquisition of volatile memory - what you want to have

Answer 6

High atomicity(how close to present memory) and availability

Question 7

Software acquisition - User level application

Answer 7

Based on user-level applications for memory dumping
Good for incident scenarios and capturing forensic image even in situations with little time
Work on specific operating systems, applications must be loaded into memory before execution

Question 8

Software acquisition - Kernel

Answer 8

Leverage a kernel driver to access physical memory without restrictions
This causes changes in the system state

Question 9

Software acquisition - software crash dumps

Answer 9

Dump files on windows in case of machine failure. Could be invasive if explicitly triggered

Question 10

Software acquisition - warm boot

Answer 10

Refers to reboot methods in which power is never removed from the memory module

Question 11

Software acquisition - cold boot

Answer 11

Refers to reboot methods in which power is removed from the memory module

Question 12

Hardware acquisition - dedicated hardware

Answer 12

Use of special hardware card to obtain forensic image of computers ram. The limitation is the prior installation of PCI card before its use