Conference Paper

A comparison of windows physical memory acquisition tools

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Volatile memory (RAM) is considered a vital component as it stores every task done by the CPU, in addition, lots of digital artefacts are stored in memory which is very valuable for digital investigation, such as network connections, running processes, services, internet sessions, malware, system information, registry content, hidden data, browsing activities, chat conversations, username, password in clear text, and cryptographic keys. Even the encrypted data is stored in unencrypted form in volatile memory (Ahmed and Aslam, 2015). However, extracting evidence from volatile memory is a critical task, since the stored data in volatile memory is deleted once the system is shut down, and it changes frequently during using the device (Ahmed and Aslam, 2015). ...
... Even the encrypted data is stored in unencrypted form in volatile memory (Ahmed and Aslam, 2015). However, extracting evidence from volatile memory is a critical task, since the stored data in volatile memory is deleted once the system is shut down, and it changes frequently during using the device (Ahmed and Aslam, 2015). There are two approaches for investigating volatile memory: ...
... Volatile memory (RAM) is considered a vital component as it stores every task done by the CPU, in addition, lots of digital artefacts are stored in memory which is very valuable for digital investigation, such as network connections, running processes, services, internet sessions, malware, system information, registry content, hidden data, browsing activities, chat conversations, username, password in clear text, and cryptographic keys. Even the encrypted data is stored in unencrypted form in volatile memory (Ahmed and Aslam, 2015). However, extracting evidence from volatile memory is a critical task, since the stored data in volatile memory is deleted once the system is shut down, and it changes frequently during using the device (Ahmed and Aslam, 2015). ...
... Even the encrypted data is stored in unencrypted form in volatile memory (Ahmed and Aslam, 2015). However, extracting evidence from volatile memory is a critical task, since the stored data in volatile memory is deleted once the system is shut down, and it changes frequently during using the device (Ahmed and Aslam, 2015). There are two approaches for investigating volatile memory: ...
... Despite the significant investigation into and evaluation of memory forensics tools (e.g. [8][9][10][11][12][13],), there are fewer examples of comparative analysis of forensics tools. The results of this analysis will hopefully lead to improved tools and better-informed choices by users. ...
... To determine the capabilities of some Windows volatile memory acquisition tools, Ahmed et al. [9] compared their captured memory images. They used Volatility, Redline, and WindowsSCOPE [48] to compare the memory acquisition tools. ...
Article
As part of the incident response process, the memory forensics tools extract forensic artifacts and display them. Many memory forensics analysis tools are being developed to address the challenges of modern cybercrimes. Investigations are successful when they have an accurate analysis provided by a memory forensics tool that consumes resources reasonably. This paper presents a comparative analysis of three dominant memory forensics tools: Volatility, Autopsy, and Redline. We consider three malware behaviour scenarios and evaluate the forensics capabilities of these tools in each. We also experimentally measure the CPU and memory consumption of each for memory analysis in other operational states. We find that Volatility provides the most accurate memory analysis. Our measurements show that Redline consumes more CPU resources, and Autopsy needs more memory resources to analyze a memory image file. The results of our investigation will hopefully lead to tool improvement and more informed choices by users.
... The problem with the physical method is that it must be installed in the suspect system beforehand, which is not possible in most cases. (Ahmed & Aslam, 2015). Therefore, software based acquisition methods are preferred by most of the investigators. ...
... Ahmed et al. (Ahmed & Aslam, 2015) experimented different memory capturing tool (MoonSols DumpIt, Access Data FTK Imager, Winpmem, Belkasoft Live RAM Capture, Mandiant's Memoryze, Magnet RAM Capture) in two different scenarios where in first case, a clean memory was taken and in other case system was infected with anti-debugging tool and memory was captured. All memory samples were analyzed by 3 different tools (Volatility, Redline and WindowsSCOPE). ...
Article
Full-text available
Forensically sound evidence processing is the key component of prosecution to convict the perpetrator. When an investigator approaches the crime scene and encounters the running system, the most essential thing to do is to capture the system's memory. Memory forensic plays a significant role in the analysis of different forensic artifacts that may not be present on the hard disk. Memory is divided into two regions, user space and kernel space. Incident responders should collect all user space and kernel space for a comprehensive forensic examination. Moreover, memory is fragile in nature, so during the evidence gathering process, the minimum contamination should be performed. Therefore, the best memory acquisition tool must be identified that can assist the forensic examiner with the thorough examination of collected evidence. In this paper, among five commonly used memory acquisition tools, an attempt was made to find the best memory acquisition tool.
... The investigation on the host was conducted using memory analysis with Mandiant Redline, a Windowsbased memory forensics analysis and acquisition tool that facilitates the host investigation process [36], as illustrated in Figure 21. Based on Mandiant Redline analysis, it was found that there was suspicious activity running an outside service with the location of Port 445 by the System.exe ...
Article
Full-text available
Increased public activity in cyberspace (Internet) during the Covid-19 pandemic has also increased cybercrime cases with various attack targets, including E-Government services. Cybercrime is hidden and occurs unnoticed in E-Government, so handling it is challenging for all government agencies. The characteristics of E-Government are unique and different from other service systems in general, requiring extra anticipation for the prevention and handling of cybercrime attack threats. This research proposes log and event data analysis to detect cybercrime in e-Government using System Information and Event Management (SIEM). The main contribution of this research is a simple, fast, and accurate cybercrime detection process in the e-Government environment by increasing the level of log and event data analysis with the SIEM approach. SIEM technology based on machine learning and big data is implemented with Elastic Stack. The implemented technique can be used as a mitigation program against cybercrime threats that often attack and target e-Government. With simple, accurate, and fast cybercrime detection, it is expected to improve e-Government security and increase public confidence in public services organized by government agencies.
... Comparison of memory forensic tools as per[9] Content courtesy of Springer Nature, terms of use apply. Rights reserved. ...
Article
Full-text available
Malware refers to “malicious software” which is designed to disrupt or steal data from a computer, network or server. Malware-based attacks are significantly on the rise, among which ransomware attacks are quite prominent and capable of catastrophic damages. It is essential to understand the behavior, functionality, patterns and activities for the successful mitigation of malware attacks which are rapidly evolving. This research deals with the analysis of malware. The researched is centered upon the Volatility tool which is used for the dynamic malware analysis. Using this tool, the infected memory dump files are analyzed for the understanding of the malware functionality and patterns. The Volatility tool’s main function is to identify the users and their techniques along with the examination of deleted digital evidence from volatile memory.
... Acquiring memory can be done using two mechanismseither hardware-based or software-based acquisition [15] [16]. When compared with hardware-based acquisition, softwarebased acquisition is cost effective and is available easily and therefore it is what is used by most digital forensic investigators. ...
... Kamal et al. (2016) also tested six Windows tools ( two different from the previous work) and focused on the artifacts left by the tools. Ahmed and Aslam (2015) compared six Windows tools ( four different from Carvajal et al) and found a few differences in performance between them, especially when anti-forensics measures were taken on the target machines. ...
... In order to determine the capabilities and accuracy of Windows volatile memory capturing tools, Ahmed and Aslam (2015) analysed several different Windows volatile memory acquisition tools. A comparative analysis was presented to enable an investigator for making and informed selection of the memory acquisition tool. ...
Article
Volatile memory contains an affluence of information regarding the current state of the running system. Memory forensics techniques inspect RAM to extract information such as credentials, encryption keys, network activity and logs, malware, MFT records and the set of processes, open file descriptors currently executed by the operating system, etc. To achieve retrievability of potential artefacts, a memory dump should be taken prior to shutting down the system. It is the most vital aspect for carving information residing into the volatile memory. Volatile memory dump is used for offline investigation of volatile data. The analysis provides information regarding the activities being performed over the running system. This research focuses on our developed framework called as VolNet through which investigator can extract and analyse the artefacts related to network communication, social chats, cloud-based artefacts, private browsing and anonymous surfing and other potential artefacts that can be obtained from RAM dumps of live systems.
... In order to determine the capabilities and accuracy of Windows volatile memory capturing tools, Ahmed and Aslam (2015) analysed several different Windows volatile memory acquisition tools. A comparative analysis was presented to enable an investigator for making and informed selection of the memory acquisition tool. ...
Article
Full-text available
Volatile memory contains an affluence of information regarding the current state of the running system. Memory forensics techniques inspect RAM to extract information such as credentials, encryption keys, network activity and logs, malware, MFT records and the set of processes, open file descriptors currently executed by the operating system, etc. To achieve retrievability of potential artifacts, a memory dump should be taken prior to shutting down the system. It is the most vital aspect for carving information residing into the volatile memory. Volatile memory dump is used for offline investigation of volatile data. The analysis provides information regarding the activities being performed over the running system. This research focuses on our developed framework called as VolNet through which investigator can extract and analyze the artifacts related to network communication, social chats, cloud-based artifacts, private browsing and anonymous surfing and other potential artifacts that can be obtained from RAM dumps of live systems.
... Since the Kernel-Level acquisition tools depend on the kernel functions, if the OS is compromised by a rootkit then it can in-turn affect the correctness of the memory image produced. Ahmed and Aslam [41] also showed that some kernellevel acquisition tools such as FTK Imager [38] and Magnet RAM Capture [42] were not able to dump the user/kernel space data for certain online gaming processes that used anti-debugging features. ...
... Since the Kernel-Level acquisition tools depend on the kernel functions, if the OS is compromised by a rootkit then it can in-turn affect the correctness of the memory image produced. Ahmed and Aslam [41] also showed that some kernellevel acquisition tools such as FTK Imager [38] and Magnet RAM Capture [42] were not able to dump the user/kernel space data for certain online gaming processes that used anti-debugging features. ...
Conference Paper
Full-text available
This research based on the volatility tool. Volatility tool used for the dynamic malware analysis using this tool examine the infected memory dump file. Throughout this research understand about the malware and their types also examine memory forensic or analysis part. As we now all know a day's lots of malicious activities are arise so for understand this activity and their behavior and protect our system or software, we have to be aware of those techniques. Now a day's cybercriminals or hackers easily break the IDS and antivirus software. To protect our system, network and servers we have to well know about malware analysis and detection techniques. I have research on volatility tool which is used for the malware analysis. The volatility tool main function is to identify the users and their techniques and examine deleted digital evidence from volatile memory.
Preprint
Full-text available
Memory forensics is used to implement and investigate malware that is executed or stored in RAM. Whether it is static malware analysis or dynamic malware analysis,each time the malware investigator retrieves the result, it is displayed in plaintext, and the investigator begins examining each result in the plaintext and triaging the malicious request. It's a labor-intensive process, and occasionally an investigator will upload malicious files to his or her computer to be analyzed for malware. These malicious files could contain worms or have the potential to infect the investigator's computer; if that happens, the attacker will keep an eye on all future investigations and the evidence they produce. With the help of this research and algorithm, whenever a malicious DLL or request is made, the algorithm will be able to identify it and flag it. This will save the investigator a lot of time because the investigator can upload files to his or her computer without worrying about whether they will be flagged as malicious behavior. We experimented wih multiple malicious files and our algorithm shows 98% efficacy.
Article
There has been an increasing trend of malware release, which raises the alarm for security professionals worldwide. It is often challenging to stay on top of different types of malware and their detection techniques, which are essential, particularly for researchers and the security community. Analysing malware to get insights into what it intends to perform on the victim’s system is one of the crucial steps towards malware detection. Malware analysis can be performed through static analysis, code analysis, dynamic analysis, memory analysis and hybrid analysis techniques. The next step to malware analysis is the detection model’s design using malware’s extracted patterns from the analysis. Machine learning and deep learning methods have drawn attention to researchers, owing to their ability to implement sophisticated malware detection models that can deal with known and unknown malicious activities. Therefore, this survey presents a comprehensive study and analysis of current malware and detection techniques using the snowball approach. It presents a comprehensive study on malware analysis testbeds, dynamic malware analysis and memory analysis, the taxonomy of malware behaviour analysis tools, datasets repositories, feature selection, machine learning and deep learning techniques. Moreover, comparisons of behaviour-based malware detection techniques have been grouped by categories of machine learning and deep learning techniques. This study also looks at various performance evaluation metrics, current research challenges in this area and possible future direction of research.
Chapter
Full-text available
The convenient and cheap access to mobile phones and laptops have significantly increased the use of interactive applications over the past couple of years. However, this has posed various threats to legitimate users in terms of sensitive data disclosure, if their device gets lost, compromised or stolen. This study focuses on the forensic analysis of Windows AppStore applications with special focus on LinkedIn’s Desktop application; since it is one of the most downloaded applications from Windows AppStore. The paper first provides a systematic literature review of the existing digital forensic analysis techniques and highlights their weaknesses. A comprehensive novel methodology for manual forensic analysis of Windows App Store application on Windows 10 Operating System (OS) has also been proposed. For experimentation purpose, LinkedIn’s desktop application has been targeted. The research considers all kinds of scenarios such as logged in users, logged out users and intentional data deletion etc. It is finally concluded that from the viewpoint of application forensic analysis, the live, storage and registry analysis, all hold equal importance.
Chapter
The Windows Physical memory maintains information about the various activities on the system such as processes and their running threads, opened registry key, user authentication details with forensic importance. The cyber attacker modifies the code of the legitimate process to achieve malicious tasks and such malicious codes are not detected by the antivirus program. In order to detect the presence of malicious codes in the legitimate process, this paper suggests a framework. This framework is based on the memory mapped information of a process and its creation time. The techniques discussed in this paper have been verified on the Windows 7 and 8 volatile memory dump.
Article
Full-text available
In this paper we firstly describe the importance of the study on forensics analysis of physical memory. Further we introduce some tools and techniques commonly used in forensics analysis of physical memory. Lastly we present an example of forensic analysis to illustrate how to do physical memory forensics and analysis in a windows system by using existing tools.
Article
Full-text available
a b s t r a c t Recently there has been a surge in interest in memory forensics: the acquisition and anal-ysis of the contents of physical memory obtained from live hosts. The emergence of kernel level rootkits, anti-forensics, and the threat of subversion that they pose threatens to undermine the reliability of such memory images and digital evidence in general. In this paper we propose a method of acquiring the contents of volatile memory from arbitrary operating systems in a manner that provides point in time atomic snapshots of the host OS volatile memory. Additionally the method is more resistant to subversion due to its reduced attack surface. Our method is to inject an independent, acquisition specific OS into the potentially subverted host OS kernel, snatching full control of the host's hardware. We describe an implementation of this proposal, which we call BodySnatcher, which has demonstrated proof of concept by acquiring memory from Windows 2000 operating systems.
The Art of Memory Forensics
  • Michael Hale
  • Andrew Case
  • Jamie Levy
  • Aaron Walters