Computer forensics is a field that is changing as fast as software can be written—and that’s fast.

For each new application a person uses, such as Skype, Instant Messaging, Media players, and new operating systems, computer forensic examiners have to learn how that application reads, writes, stores, and deletes data. This challenge is coupled with the fact that the perpetrators of criminal acts are becoming more computer-savvy. They are learning counter-forensic techniques to obfuscate, delete, encrypt, and simply leave little to no trace of their activities on computers. Therefore, computer forensic examiners, the individuals that scour the contents of hard drives for evidence, need to stay a few steps ahead in the technical arms race. One of the emerging disciplines to assist computer forensic practitioners is the acquisition and analysis of computer memory.

You may have heard the advertisement “Now with 2 Gigabytes of RAM!” or “Add memory for $49.95.” What does this all mean? Computer memory, commonly called RAM (Random Access Memory), is simply another data storage location found inside a computer. Memory is designed for frequent, quick access by a computer’s Central Processing Unit (CPU). Virtually all operations a computer performs are conducted in memory, and the more memory a computer system has, the faster the system will perform its operations. Therefore, memory is a very volatile, confusing assortment of information arranged in a relatively unstructured manner. The structure of information stored in memory is so unfamiliar, confusing, and volatile that computer forensic examiners spend little to no time preserving or reviewing the contents of memory. However, recent advancements in memory acquisition and analysis have made promising progress in corralling this confusing source of potential evidence.

Due to the mechanics of how memory works, its contents are erased when a computer is powered off. Therefore, the information in memory needs to be acquired when a system is still on, or “live.” The choice an investigator must make when collecting evidence from a “live” system is to determine how to collect volatile data from memory before shutting the system down for forensic preservation of the hard drive. There are two options available to the forensic investigator. The first option is to use tools that extract information from memory by relying on the operating system. The second option is to acquire the entire contents of memory and analyze its contents using programs only recently developed.

When acquiring information from memory using tools that rely on the underlying operating system (i.e. Windows XP), a computer forensics practitioner uses programs that acquire the following volatile information:

• The current system date and time
• The applications currently running on the target system
• The Windows services current running on the target system
• The state of network connections
• A list of currently open ports
• The applications listening on the currently open ports

The concern with using tools that rely on the base operating system is that new counter-forensic tools exist that alter the operating system and manipulate the results of any “live” examination of memory. Computer programs referred to as “root-kits” are becoming more advanced and more common. These “rootkits,” when in place, ensure that a computer provides false information when queried. Therefore, when the computer forensic examiner responds via operating system tools, the “root-kit” easily provides us with false information about running processes, the current network connections, and any other bit of volatile information. Due to the proliferation of these counter-forensic techniques such as “rootkits,” computer forensic examiners should practice preserving the entire contents of memory, and use specialized tools to analyze its contents. Though the operating system may lie to you, the contents of memory cannot.

Collecting the entire contents of memory is both free and easy! Memory can be preserved by using the Defense Computer Forensic Lab Data Dump (DCFLDD). DCFLDD is an enhanced version of the GNU “dd,” with added features to support forensics and security-based operations. DCFLDD is very versatile, and works on Unix, BSD, Linux, and Windows Operating Systems. The latest version of DCFLDD is available for download at http://dcfldd.sourceforge.net/.

The command syntax to use for preserving physical memory is the following:

DCFLDD if=\\.\PhysicalMemory of=AnyExternalDevice conv=sync,noerror

DCFLDD = the name of the binary file being executed.

if = \\.\PhysicalMemory – “if” stands for “In File”, which is set equal to the physical memory of the system.

of = AnyExternalDevice – “of” stands for “out file”, which we recommend to be any external media or network device because you want to avoid overwriting contents on the target hard drive.

conv=sync, noerror tells the program to continue after any read errors, and to pad every input block with zeroes. You want to ensure if 2GB of data is read, then 2GB of data is written.

Once you collect the entire contents of memory, you need to analyze it. Analysis techniques differ based on the scenario and objectives identified for the case. The most common technique used by investigators to analyze memory is the use of a tool called “strings.exe.” The “strings” tool returns each grouping of printable characters within a file. Once these strings are returned, search tools such as “find” and “grep” can be used to locate data of interest. Though very basic, some of the most critical data such as passwords, configuration files for “root-kits,” the configuration of disk-wiping tools, and command-line statements used by intruders when installing their malware, has been found inside of memory using this technique.

The two winners¹ of the 2005 Digital Forensics Research Workshop Challenge, Chris Betz and the team of George Ganer and Robert-Jan Mora, created memory-parsing tools to extract a process listing based on process structures they identified within raw memory. The technique of generating a process list from a raw memory dump removes the concern that a “root-kit” or other counter-forensic tool is ensuring the computer is providing unreliable results.

The technique used by Betz has become incredibly useful during an intrusion investigation. In these cases, a true running process list is critical to provide the investigator a valid list of processes running on the system, as well as provide indica tors of whether there are any counter-forensic traps in place to hide evidence on the system. By comparing the process listing, the operating system yields to the process listing obtained by preserving memory and executing the “memparser” tool, you can determine if there exist any hidden processes. The presence of a hidden process suggests that counter-forensic software is likely hiding files, processes, registry entries, and a myriad of other items. By determining the use of counter-forensic software, the computer forensic examiner will proceed with greater diligence, rather than with faulty assumptions.

Unfortunately, there are no freely available tools that cover all of the commonly used Windows Operating Systems. Because major patch levels within each operating system handle memory differently, investigators will probably need to have several tools in their toolbox to acquire the desired end result.

The following is a chart of free tools available for download based on the Operating System. Keep in mind that there may be caveats for these tools when dealing with systems running Physical Address Emulation (PAE) and, because this area is changing very rapidly, there may be additions to the list by the time you read it.

So the next time you are sent to acquire an image of a hard drive, and you think the reason could be an intrusion, or perhaps the owner of the system has something to hide, you should consider preserving an image of physical memory, if not for use with current analysis tools, then perhaps with tools that are sure to be released in the future.

Reference
1. http://dfrws.org/2005/challenge/

Kevin Mandia, President and CEO of MANDIANT, is an internationally recognized expert in the field of information security. He has over fifteen years experience, beginning in the military as a computer security officer at the Pentagon. Mandia is also co-author of Incident Response: Performing Computer Forensics (McGraw-Hill, 2003).

Kris Harms, Senior Consultant at MANDIANT, provides investigative and technical expertise in incident response management and investigation, computer forensics, vulnerability assessment and remediation, and security architecture and design.

www.mandiant.com