Module 5 - Volatile Data Flashcards
Analyze a memory file from a virtual machine Identify current tools associated with examining memory, including a description of the strengths and weaknesses Examine the basic operations of volatility
Types of data that may exist in memory that may not be on hard drive (5):
encryption keys passwords malware registry RAM disk
Memory retention
After system is rebooted (not shutdown), data still resides in memory from the first instance until new values are sent to the register.
Benefits of Memory Collection
- may have data not elsewhere on hard drive
- much data in unprotected,unencrypted format.
Memory file on disk (list some)
swap files/page files
hibernation files
.vmem files
Memory Capture / Analysis Tools (Name 5)
WindowScope Volatility Windows Memory Forensic Toolkit (WMFT) Forensic Analysis Toolkit (FATKit) Mandiant's Memoryze
Describe Windows Memory Forensic Toolkit (WMFT)
- Collection of utilities intended for forensic use.
- Perform forensic analysis of physical memory images acquired from Windows 2000/2003/XP machines.
Describe Forensic Analysis Toolkit (FATKit)
Cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory
Describe WindowScope
- subsidiary of BlueRISC
- GUI, student versions
- Advanced analysis of running memory and image files
Structure of memory
Program calls
Describe Volatility
- Volatile systems
- Multiple formats/types (Python Scripts, Compiled exe)
- Command Line
- 64 bit versions under development (info dated)
- version 2.0 (info dated)
Name Some Artifacts retrieved with Volatility (7)
Image Identification: Which version of Windows was running
Lists of Processes and Loaded DLLs
Process Memory
Kernel Memory and Related Objects
Network Information, including open connections and sockets
Registry information, including hash dumps
Malware information
Volatility command to obtain connections
volatility.exe -f .vmem connections
python vol.py -f .vmem connections
returns along with Process IDs (Pid)
Volatility command to obtain open sockets
volatility.exe -f .vmem –profile=WinXPSP3x86 sockets
python vol.py -f .vmem –profile=WinXPSP3x86 sockets
Volatility commands to obtain hash values of user accounts in memory
volatility. exe -f .vmem hivelist
volatility. exe -f .vmem hashdump -y -s
Describe Memoryze
Created by Mandiant
Works with:
Windows 2000 Service Pack 4 (32-bit)
Windows XP Service Pack 2 and Service Pack 3 (32-bit)
Windows Vista Service Pack 1 and Service Pack 2 (32-bit)
Windows 2003 Service Pack 2 (32-bit)
Windows 2003 Service Pack 2 (64-bit)
Windows 7 Service Pack 0 (32-bit)
Windows 7 Service Pack 0 (64-bit)
*Windows 2008 Service Pack 1 and Service Pack 2 (32-bit) – beta version
Windows 2008 R2 Service Pack 0 (64-bit)
