RAM Forensics

Capturing RAM
• HELIX
• WIN32DD
• FTK Imager 2.7.0
 Win32dd.exe
• Light Client
• Included on the Helix CD in the IR folder
• Can be downloaded and placed on a USB drive
or a CD.
• Creates a standard DD memory dump.
 Win32dd.exe
• Standard dump syntax

• Syntax to dump local memory to an attached

F Drive.

• Win32dd /d /f F:\memdump
 Volatility – It’s Free
• Download and install
• Volatility, and Python 2.6
• Python is a scripting language and Volatility is
a plug-in for that scripting language.
• Make sure you throw a copy of the python
executable in the volatility directory, it will
make the command line a lot easier.
 Let’s get started
• Install Python 2.6 from the class DVD

• Install Python 1.3 Beta from the Class DVD

• Place the file, memdump at the root of C:

• Create a folder at the root of C: called “evidence”

• Place a copy of Python in the Volatility directory

 What can Volatility do for you
• Open connections
• Dump addressed memory
• List running processes
• List open files
• Much much more
• Let’s take a look at the default commands.
 Let get started
• Move to the volatility directory

• “cd C:\volatility-1.3_Beta”

• Type “python volatility”

VOLATILITY COMMANDS
 Volatility command line
• Syntax to run a command is listed below and
the default is print to screen
• python volatility (process) –f (path to image)
• python volatility datetime –f C:\memdump
• We can also redirect the output to txt files.
• python volatility datetime –f C:\memdump >
C:\Evidence\datetime.txt
 datetime
• python volatility datetime –f C:\memdump

• Now lets create a text file

• python volatility datetime –f C:\memdump >

C:\evidence\datetime.txt
 pslist
• PS list or process list is going to give us the
reference numbers we need through the rest
of the examination.
• PID – Process ID
• PPID – Parent process ID.
 Run PS list

• python volatility pslist –f C:\memdump

• Run it and direct it to a text file

• python volatility pslist –f C:\memdump >

C:\evidence\pslist.txt
 sockscan
• This is going to list open connections by PID
(Process ID)
• python volatility sockscan –f C:\memdump
• Dump it to a file
• python volatility sockscan –f C:\memdump >
C:\evidence\sockscan.txt
 connscan
• This will give you a list of open connections
and IP addresses
• python volatility connscan –f C:\memdump
Other useful commands to try on your
own
• files, will dump a list of open files.

• dlllist, will print the open dll files.

• ident, will print the image information.

 VAD Dump
• We’re going to dump the address space for
every process in to a RAW file that we can
then search.
• This will take up about the same amount of
space as your image.
• Syntax is a bit different for the output
• Python volatility vaddump –f C:\memdump –d
C:\evidence\
Virus
 Virus
• Windows Defender loads some virus
signatures in to RAM and Windows Defender
is actually hitting on it’s own virus signatures
that we just carved out of RAM.
• I sent Microsoft the list and they confirmed
that the items I hit on were the one’s they
load.
 Pull the entire Evidence folder in to
EnCase as single files.
• Lets search for some key words
• Passwd.

Does “%55%53%53%53%45%43%54%46%39%21%40”
Look familiar, it should, that’s google talk storing our
password as hex in plan text, let convert.
• 55=U
• 53=S
• 53=S
• 53=S
• 45=E
• 43=C
• 54=T
• 46=F
• 39=9
• 21=!
• 40=@
• Password for google talk and gmail account of, usssectf@gmail.com
is, “USSSECTF9!@”
We find some plain text in a the
WINWORD DUMP FILE.
We find an entire txt file in the dump
of the Notepad file.
 Volatility Enscripts
• Takahiro Haruyama's Memory Forensics Toolkit.
• http://cci.cocolog-
nifty.com/blog/2010/02/encase-enscri-1.html

• Article about HB Gary missing rootkits

• http://cci.cocolog-
nifty.com/blog/2010/02/hbgary-responde.html
 EnScripts Cont.
• Open the ZIP File, copy the three folders in to
your,
• C:\Program Files\EnCase6\Enscript” Directory
FTK3 RAM Analysis
 Next steps
• This is just a preliminary introduction to
Volatility, and I encourage you to play with
some of the other processes like memdmp.
• Some other tools that can help with RAM
analysis are “strings” from sysinternals which
can take your memdmp output and kick out
the unicode to a text file.
• I am far from an expert, but let me know if I
can help with anything.
 Other Specific Tools
• Skypeex, will run against a strings file and will
dump skype chat files (Included with DVD)
• Pdgmail, gmail from RAM.
(www.jeffbryner.com/code/pdgmail)