Forensics Sources Part 2: Memory

I am publishing a 4 Part Series on sources that can be used to aid in digital forensics investigations. This is Part 2: Memory.

Part 1 covered PCAPS and you can find it here if interested.

Background:

Digital forensics can be described as the science of identifying, extracting, and preserving computer logs, files, cookies, cache, meta-data, internet searches, and any other legally admissible evidence that could be used to solve crimes committed using internet connected infrastructure.

Although most investigations focus on computers, evidence is not limited to workstations and laptops. In recent years, forensics teams have expanded their searches to include social networks, file sharing solutions, cloud service providers, mobile devices, third party applications, and more.

Complicating matters further, some people access the internet from different devices and use multiple web browsers daily, including as Internet Explorer, Chrome, and Firefox. Therefore, forensics investigations can involve correlating multi-device URL visits, cookies, time data was accessed, search terms, caches, and downloaded files.

This post will assess artifacts in memory that could be used in a digital forensics investigation. The event types are limited to network intrusion detection, malware installation, and file deletion. The analysis will include commentary about challenges that are common when gathering and inspecting the forensics data.

Security professionals must also understand the usefulness of forensics data, so the discussion will include an analysis of how memory should be prioritized during investigations.

The forensics rankings used:

  • Primary Sources=most likely to have relevant data
  • Secondary Sources=may contain relevant data
  • Tertiary Sources=may contain supporting data.

Memory Explained

Forensically, one of the most valuable and relevant sources of data is in the volatile and non-volatile memory of impacted systems.  This includes system memory (RAM), pagefiles, and BIOS, listed in order of volatility (volatile à non-volatile).

Depending on the state of the machine when an event occurs, the investigator may be able to harvest running processes, handles, and other calls within the operating system that help to replay what was occurring before the event occurred, while the event is occurring, and after the event.

Further, in the event that the target system is crashed as a result of the event, data in memory may have been swapped out to pagefile, which further provides the investigator with clues as to what may have happened to a system prior to its demise.

Memory Collection & Examination Challenges

The forensic validity of data in system memory is heavily dependent upon the state of the system after the event has occurred.

In live systems, extracting the live memory of the system using tools that do not alter the process patterns of the target host will provide a snapshot of what is occurring within the system.  Coupled with other clues from the network or file system, memory can provide a holistic picture of what impacted the system.

Modern operating systems use paging to swap out elements of active memory to disk, and when a system is in the shutdown state (depending on the operating system), the pagefile will house memory data that may be of interest to the investigator.

Lastly, the BIOS will contain the last known good boot state of the device, as well as some operating system heuristics that may be useful in understanding how a system has been impacted, if neither of the other two system memory components yield good data.

There are however, some challenges associated with extracting system memory.  Volatile memory is generally lost when the power is cut or a system is rebooted.  If a system is impacted in such a way that the system is non-responsive or otherwise incapacitated, getting access to the non-volatile memory may be very difficult. An example would be if there is no CD or USB for a live image tool to run atop of the existing file system.

A pagefile is a special type of file – but a file nonetheless, which means it can be manipulated, or cleared or otherwise corrupted, rendering it useless from the perspective of a forensic investigation. Manipulating or looking for evidence within the BIOS can be challenging, and requires special software and skills that may not be readily available to an investigator.

Memory Priority in Intrusions, Malware, and File Deletion Events

How system memory is used forensically will largely depend on the state of the system at the time of investigation, the type of system and the tools available to the investigator.

For PC based systems, extraction of system memory contents is generally straightforward. However, depending on the type of system that is being examined, what is available to the investigator may be somewhat limited.

System memory does have some specific use cases where it is more relevant to an investigation than others, and successfully extracting one or more of the system memory types may aid in event reconstruction and forensic review.

Memory Priority: Network Intrusions

Using system memory extractions for evidence of network intrusions can be useful if:

  • The event targeted an endpoint
  • There is evidence of a running process or executable on the target host that was a direct result of the intrusion
  • There are HIDS and/or antivirus applications within those systems

Network based commands that serve as elements of compromise may exist within volatile memory of the targeted system, and may provide additional evidence to an investigator that certain commands were run on the target system.  System memory would be considered a secondary source of evidence for this type of event, in most instances.

Memory Priority: Malware Installations

Malware, by its very nature, manifests itself in system memory via some exploit as a form of an executable, and “hides” amongst the processes and system files running on a system. An investigator able to extract the running processes and active memory from a system where malware is installed can:

  • Gather valuable information on how the malware works
  • Determine how it may have infected the target host
  • Extract what processes and/or files it may have impacted or spawned
  • Identify any changes to the operating system that it may have performed
  • Uncover any unique behaviors exhibited by the malware

Further, executable information may have been paged out to the pagefile, and in some cases, there may be evidence of the malware within the BIOS (in the cases of soft BIOSes, for example). Here, system memory is a primary source of information for malware investigation and subsequent proliferate actions by the malware.

Memory Priority: Insider File Deletions

System memory can be used by an investigator as a viable tertiary source of information about file deletions depending on the circumstance. Note that there may not be any attribution that it was performed by an insider.  Any volatile memory would potentially capture the existence of commands that were issued against the file system, but would provide very little context for the impetus of the commands absent any other information.

Summary of Key Findings

Memory includes volatile and non-volatile data of impacted systems that comprise of random access memory, pagefiles, and BIOS, listed in order of volatility. The main issue with memory is that data can be easily wiped out if the system is rebooted or powered off. All data sources are not created equal, and security professionals must understand how to rank sources by the order of importance.

Memory is a secondary data source in network intrusions, primary source in malware, and tertiary source in file deletions.

This concludes Part 2 of a 4 Part Series on data sources could be used in a digital forensics investigation.

I will cover file systems in Part 3 and logs in Part 4.

ICYMI:

#WeCyberToo: Cassandra Giddings, Security Engineer

#WeCyberToo: Tiffany Smith, Security Analyst