Week 4 Technical

Question 1

What is the significance of memory in cyber forensics?

Answer 1

Memory is crucial as it can store active data including running processes, network connections, and clear text passwords. It becomes a critical focus for investigating because once the system is powered down, volatile memory data is lost.

Question 2

What is virtual memory and its forensic significance?

Answer 2

Virtual memory extends available memory using hard drive space to manage multiple processes. Forensically, it’s significant because it can contain evidence of process activities and system states not currently loaded into physical memory.

Question 3

How does hibernation affect forensic memory analysis?

Answer 3

When a computer hibernates, it dumps a copy of its physical memory to the hiberfil.sys file, preserving the memory state. This file can provide a historical snapshot of system memory and remains on disk even after the system resumes.

Question 4

What is the pagefile and its role in memory forensics?

Answer 4

The pagefile (pagefile.sys) acts as overflow storage for memory that has been swapped out from RAM. It’s not a structured memory dump but can contain fragments of valuable data relevant to forensic investigations.

Question 5

How is memory acquired in a digital forensics context?

Answer 5

Memory acquisition involves capturing the contents of volatile RAM with tools like FTK Imager or Redline. It’s important to minimize alteration of memory during this process to maintain the integrity of the evidence.

Question 6

What are the challenges of acquiring memory in digital forensics?

Answer 6

Acquiring memory can alter its contents, so it’s critical to document the process meticulously and use methods that minimize changes to defend the data’s admissibility in court.

Question 7

What indicators might suggest a process is malicious?

Answer 7

Indicators include unusual parent-child process relationships, processes starting from incorrect locations, misspellings of legitimate process names, and anomalies in process creation times relative to known attack timelines.

Question 8

How to look for suspicious network activity ?

Answer 8

Processes
* What processes are communicating? Should those processes even have network connections?
Eg. If you see Notepad.exe with an active connection that might seem a little odd. System processes that have no network component would be of interest.

Ports
* Are there any listening ports on the system? This is where it pays to know the environment,
and know what is normal, and what is not. Are there any legitimate applications in the environment that operate on those listening ports?

Connections
* Modern malware tends to use outbound connection over low ports (eg. 80, 443) rather than
inbound on high ports to hide its activity at the network proxies. This can be advantageous to us though. For instance if you see a system process communicating over port 80, that would seem very strange and warrant investigation.

Connection Time
* Once again timelining can be useful here. If you have an infection time or know that the system
was beaconing during specific times, you can use this to look at connection time.

External IP Addresses
* Look at the external IP addresses that processes have connected to. Does your host have any
reason to be connecting to that host in Moldova? Googling IPs you may quickly find that that have previously been blacklisted for malicious activity, or determine legitimacy.

Internal IP
* Connections to local network IP addresses might also be of interest. Particularly if you have
connections to an already confirmed compromised host. Alternatively, you may also use this to determine the scope of any lateral movement.