Monday 31 October 2011

Memory Forensics: Presentation

This Wednesday I’m going to give a 20 minutes presentation about Live Forensics with a focus on Memory Forensics.

I know it may sound a bit strange but I’ve heard about Death by PowerPoint so many times that I decided to run it differently: I asked students to read a chapter 3 from Harlan Carvey’s book WFA 2e and to read the slides before turning up for the lecture, and then I’ll do a ‘Questions and Answers’ session followed by a demo.

The slides can be found here and this is the list of ideas for the conversation:
  • When? 2005, DFRWS (digital forensics research workshop)
  • Why? Passwords/encryption keys, hidden stuff by rootkits, encrypted/obfuscated malware
  • What’s the order of live forensics? Why is imaging memory the first? What was the Locard’s Exchange Principle about, again?
  • Halt a process/system when imaging?
  • Other copies of memory? Hibernation, crash dump, swap space.
  • What is virtual memory?
  • What is the default size of a page in memory? 4KB (4096 bytes)
  • What’s wrong with \Device\PhysicalMemory? When did it happen?
  • Are there any other methods?
  • The limit of collecting up to 4GB of RAM?
  • Some tools may skip the page file. What it means? Why? The switch ‘-page’.
  • F-Response, completely different approach. Why?
  • Hardware ways of dumping memory? What does PCI stand for? Payment Card Industry? NOT!
  • What about cloud computing?
  • How to generate a crash dump? What happens behind the scenes? What’s the size limit? What are the two requirements? What are the concerns?
  • Is RAM wiped at boot?
  • Digital Corpora Project. http://digitalcorpora.org/
  • Offensive Computing, over 3mln malware samples. http://www.offensivecomputing.net/

By the way, can anyone tell me what does ‘PFN Mapping’ in Win32dd do?



Update (05 Nov 2011): Firstly, a demo of using Cryptoscan v2.0 is now available on YouTube. Secondly, I've received an answer to the question above (thanks to Andrew Case): supposedly, this technique doesn't rely on Windows API and hence, the memory footprint is smaller. Andrew also explained that PFN Mapping "enumerates all the physical pages of RAM (non-hardware addresses) and then reads and writes them out directly."

No comments:

Post a Comment