Acquiring and Analyzing Volatile Memory Definition Memory is the location where the information about the operating

system, currently running programs, hardware, all user activities is stored. For example when you open/run a program, the program is loaded from hard disk to memory and it is operated/executed from there. The operation of program is much faster in memory as compared to its execution hard disk. Traditional Computer Forensics involves analysis of persistent data like hard drives and USB derives, Memory Forensics involves analysis of Volatile memory such as RAM. Volatile Memory forensics gathers data from running systems, providing additional contextual information that is not available in a disk-only forensic analysis. Volatile Memory Vs Non Volatile Memory: ''Volatile memory'', also known as '''primary storage device''', is computer memory that requires power to maintain the stored information, unlike non-volatile memory which does not require a maintained power supply. The most widely used form of primary storage today is a volatile form of random access memory (RAM), meaning that when the computer is shut down, anything contained in RAM is lost. Nonvolatile storage, is computer memory that can retain the stored information even when not powered. Examples of non-volatile memory include read-only memory, flash memory, most types of magnetic computer storage devices (e.g. hard disks, floppy disk drives, and magnetic tape). Difficulty in Volatile memory Forensics Traditional Forensics involves analysis of persistent (Non -Volatile) data stored in Digital Evidence like Hard Disk, CD/DVD, Floppy Disk etc. The data in these Digital Evidence is stored in particular pre-defined format, according to File System (FAT, NTFS). The data exists permanently at specific location specified by File System. Due to its static nature its integrity can be verified in the court of law. (By calculating MD5 /SHA1 Checksums and verifying the values of those Checksums). In case of Volatile data information stored in memory vanishes after powering off the machine. Memory management is carried out dynamically by operating system according to the needs of ongoing services and processes. This means that contents of memory is constantly changed, hence the term Volatile Memory. It is relatively difficult to determine the exact content and location of data residing in memory at particular instance. Because of dynamic and Inconsistence nature of Volatile Memory it becomes impossible to verify and hence prove its integrity in the court of law. Meaning the data collected at every instance is different and dynamic as compared to the other instance. You cannot recreate the same state of machine. Even if create the same state of machine (By running same services and processes), because of inconsistence nature of memory the resources of memory are allocated and de-allocated (depending on the availability of memory at that particular instance) at different location. Therefore it is impossible to predict what content is residing in memory and where it is stored at particular instance, you cannot regenerate the same state of memory. Because of less structured approach of storing the data and the speed at which data is being changed in volatile memory it becomes very difficult for an investigator to acquire and hence analyze volatile memory.

Importance of Volatile Memory Volatile Memory Forensics is important as it overcomes several limitations of traditional Forensics. Also as new technologies continue to evolve, memory forensics becomes very important in order to collect necessary digital evidence. Traditional forensics is limited in several ways: 1. It does not allow user to access encrypted data (i.e. username password). 2. It does not reveal information about process that were running in memory, hence Forensic Investigator has absolutely no idea about the process being running at the time of attack. 3. It possible for an attacker to hide data in volatile memory. It does not reveal any information about hidden data in volatile memory. 4. It is becoming very common for an attacker to write the malicious code (Viruses, Trojans, Worms) that resides in volatile memory and which is not written to a physical disk. Traditional forensic does not reveal such code written into memory, so Forensic Investigators are not able to understand how the attack was exactly executed.

Data residing in Volatile Memory: There is ample amount of data residing in volatile memory which is as follows: 1. Running Processes: All running processes are stored in volatile memory. You can analyze them by acquiring volatile memory. You can also find the processes which are hidden and the processes which are terminated but still residing in memory. Information about recently terminated processes and suspicious process can also be known by analyzing currently running processes. 2. Processes ID: Corresponding Processes ID related to each process(program). 3. Date and Time: System date and time play very important role in investigation. The information about the process creation time could be helpful to investigator. 4. Command line arguments: The command line arguments being executed from command prompt. 5. Full path of executables: Full path of the .exe being executed and where it is stored in Hard Disk. 6. Loaded DLLs, their size and metadata: The DLLs loaded in memory while performing particular task. (DLL is Microsofts implementation of shared library called as Dynamic Link Library. An attacker can exploit DLL and hence he can manipulate the functionality of process. In some cases listing of DLL that are loaded due to malicious processes may provide information about malicious activity) 7. Registry handle/ keys: The registry handle accessed by a process. (Registry is the large database where Windows stores all the system, security and software specific settings. A registry file is useful when a large amount of data is being manipulated, when many entries are being made in the registry, or when the data is transitory and must be loaded and then unloaded again. In case of Rootkits and Trojan horse attacks registry is the most critical area to be analyzed. Generally rootkits hide processes, files, Registry keys and even network connections. By analyzing content of volatile memory we can enumerate these attacks and find what has been hidden. Further

by analyzing registry handles/keys we find the exact part of Operating System being attacked. 8. Open files: The files which is being used by process in execution. Information about the file which a process is using is very important. If the process is related to malicious code execution, with the help of suspicious files being used by that process Investigator may find where the malicious code is stored on the Hard Disk, where, what and how it stores the output. 9. Network connections: Information about the open TCP/UDP ports, listing ports, current established connections, current local and remote connections, protocols being used by those connections, etc. can be found by analyzing volatile memory. One can also find a hidden backdoor by listing to such network connections. It also provides information about possible attack vectors into the system. For example just by knowing a particular port/socket open does not provide you information about malicious activity. In such cases it becomes important to know which malicious executables/process is responsible for a particular port being open on that system. 10. Passwords and other encrypted data: Usually Passwords are stored on Hard Disk in encrypted format. However they are stored in plain text in volatile memory while their execution. Some passwords may help in accessing critical accounts. Investigator may also find some useful data in unencrypted format which is otherwise stored in encrypted format on Hard Disk. 11. Hidden Data / Malicious Code: In recent times it has become very popular trend that Attacker s hide their data(malicious) in Volatile Memory instead of storing it on Hard Disk. The reason behind this is generally most of investigators overlook the data stored in Volatile Memory and currently not much of Anti-virus are capable of detecting such malicious content stored in Volatile Memory. Moreover it becomes very difficult to perform reverse engineering on data stored in Volatile Memory because as soon as you pull the plug the data is destroyed. Hence it becomes very easy for an attacker to store and execute the malicious code and then to destroy it after their work is completed. Methods for Acquiring Volatile Memory: Before analyzing the digital evidence it should be collected, so that investigator can draw conclusion from it. In order to analyze volatile memory the investigator must know to locate it and the various techniques to acquire it. Many tools and techniques are available for acquiring volatile memory. Majorly there are two ways of acquiring it, they are described as follows. Software based Acquisition: A basic unix command which is used for low level copying is dd. Almost working of all the tools is more or less is based on this basic command for creating image. Generally tools take the snapshot of the state of machine, this includes CPU state, memory (main and virtual both), running processes, active network connections etc. There are various commercial toolkits available for creating image of volatile memory (RAM), most of them are freeware and easily available. Pros: 1. Easy method of acquiring Volatile Memory. 2. More popular due to its cost effectiveness. 3. Done with the help of software toolkits (Some of them are free and easily available )

Cons: 1. Requires additional software to be run on a target system. 2. There is high possibility that in process of acquiring the memory, the contents of memory are altered. This is because software always requires a process to execute itself. Hence the data relevant to investigation is overwritten. 3. It is easy for an attacker to corrupt the operating system or software, the attacker can hide can hide relevant by modifying the system calls and internal structure. Hardware based Acquisition: The most direct way of acquiring volatile memory is to have a piece of dedicated hardware, just to acquire memory. A proposed method is to use a PCI (Peripheral Component Interconnect- is an industry specification for interconnecting certain computer hardware components.) card that disables the CPU and use DMA (Direct Memory access A technique for transferring data from main memory to a device without passing it through the CPU) to access the host memory, hence creating the image on a connected device. Pros: 1. 2. 3. 4. Done with the help of dedicated Hardware tool. No additional software on the target machine required OS Independent More reliable method of acquiring Volatile Memory because even if the attacker has compromised the operating system and software, we will still get an accurate/real image of physical memory as we do not relay on those components of system. (Real Image The same Image as the CPU sees) 5. There is no possibility of the data to be altered and over written as the hardware device is accurate, reliable and exposes the memory as read only device. 6. Difficult for an attacker to corrupt. Cons: 1. Not a cost effective Method 2. Requires the device to be installed prior to an incidence

Tools Used: There are various free and commercial tool available for acquiring volatile memory, this section describes some of currently available tools. This may not list all available tool but the most popular one are listed here. While using these tools ,We should also keep in mind the factors such as: How accurate the tool is? Is it working correctly in all situation? The tool should not miss any critical information The evidence collected and analyzed should hold in the court of law. Further more you should never relay on any one particular tool and always consider the false positive/risk associated with that tool. None of the tool may be perfect in working but it may still fetch valuable information.

Software Tools: Some of popular Software tools are: 1. MemDump tool, KnTTools. (Used for Windows systems) (http://www.memdump.comabout.com/download.html) 2. DD in Unix 3. Idetect (used for linux systems) 4. The Volatility Framework (Open Source, used with linux, Windows and Mac OSX) 5. VAD Tools (Python scripts for collecting information abt .dllss and .exes) 6. Memoryze 7. PTFinder 8. F-Response, FastDump 9. All Sysinternals tools from Micrsoft (http://technet.microsoft.com/enus/sysinternals/bb545021) 10. Wft (http://www.foolmoon.net/security/wft/) 11. FTImager toolkit by Access Data 12. EnCase by Guidance Software (Takes Snapshot of memory image, Data collected can be opened EnCase environment only) 13. Goldfish, Mac Memory Reader for Mac OS. Hardware tools: Acquisition done through PCI (Peripheral Component Interconnect) Expansion card or PCMCIA Card. Some of them are as follows: Tribble by Brian Carrier & Joe Grand RAM Capture Tool by BBN Technologies CoPilot by Komoku Using FireWire bus Analysis of Volatile Memory Volatile memory is accessed via different mechanisms depending the operating system being used, the type of hardware used and the file system being installed/used. Usually memory of suspect system is dumped/copied onto the other system via some specialized tools/commands. The investigator then parses the content of memory from the memory dump being acquired. The format of memory dump used by each tool is different. Hence the investigator converts it to some meaningful format and then analyzes it. Cautions and considerations: 1. The act of acquiring the memory can cause changes to the system being analyzed. While collecting volatile memory from suspect system often starts up a new process, which eventually adds new data to the system being analyzed. This data could overwrite critical information which may be useful for investigation. 2. It is no doubt that we require reliable tool and proper procedures to acquire memory data from live system to minimize any possible contamination to the collected data. Due to the inconsistent nature of memory, the acquired memory data may raise challenge on its validity in the context of court proceedings. One should also understand that at any given point of time the systems volatile memory state is not

3.

4. 5.

6.

reproducible, due to the fact that system may load programs in different areas of memory. An attacker might Trojanize some of commands that capture volatile memory and instead of collecting volatile memory those commands may omit the information. Even an attacker might alter the way Operating System works while collecting volatile memory. Therefore analyst should always trust their own tools, rather than those the attacker has used. The limitation of using the hardware-based acquisition device is that it needs to be installed prior to an incident. The thought of installing a PCI card into multiple systems before an incident occurs may sound expensive and impractical, Therefore this device should only be installed on critical servers where an attack is likely and a high-stake intrusion investigation might occur. Additionally, a trusted hardware-based device is needed to reliably aquire the system memory contents without compromising the integrity of data stored on the memory.

Conclusion: Acquiring and analyzing volatile memory is an ongoing research. As the technology develops, attackers come up with new ways of exploiting the system. Moreover in recent times the attackers targets volatile memory rather than hard disk to hide their data and thereby perform malicious activity. This article/paper states the general ways of acquiring volatile memory. Why volatile memory is important in forensic investigations. What critical information is present in volatile memory. The difficulties in acquiring volatile memory. It also covers currently available tools. Finally it describes cautions and considerations to be taken care of while acquiring volatile memory. Reference: 1. Consistency Issue on Live Systems Forensics - by Frank Y.W. Law, K.P. Chow, Michael Y.K. Kwan, Pierre K.Y. Lai 2. The Importance of Memory Search and Analysis - by Access Data Corporation 3. A hardware-based memory acquisition procedure for digital investigations - by Brian D. Carrier, Joe Grand 4. Techniques and Tools for Recovering and Analyzing Data from Volatile Memory - by Kristine Amari26 March 2009 5. Integrating Volatile Memory Forensics into Digital Investigation Process - by Aaron Walters, Nick Petroni