What is Memory Forensics?¶
To put it simply, Memory Forensics is the analysis of volatile and non-volatile data of a compromised comupter. It involves the acquistion of data from a computer. Volatile Memory is the memory used by the system or OS during the time the device is powered on. To put it simply, the data stored in RAM(Random Access Memory) can be called as volatile memory. This includes all web browsing activity, encryption keys, network connections or injected code fragments.
Non-volatile memory is the data which is stored in the hard drive of the computer.
Before 2008, Forensic Analysts used to rely primarily on non-volatile data for recovery of data and for detecting a malware's activity.
These days, the importance of volatile memory analysis has become really important. So important that many of the malwares like stuxnet were discovered in the volatile memeory dumps of the compromised systems.
What is a memory dump?¶
Memory dump is the snapshot of the current running state of a system. It is a capture of everything running inside a system. This includes processes, loaded modules, opened pictures, password hashes and even text typed in the terminal. These dumps can be of crucial importance because it'll help us to detect what the attacker did to the system.
So how do we dump memory of a system?¶
Simple. To dump your RAM, there are tools like FTK Imager, DumpIt etc., when we consider a windows system. The primarily used tool is DumpIt. It is very easy to use. It has a command line interface and if you press "y", it'll dump the memory in the very folder where the DumpIt application is present.