Memory Analysis

GIAC Certified Forensic Examiner Objective:

Analysis and Profiling of Systems and Devices

The candidate will demonstrate an understanding of the artifacts created by the Windows operating system during the execution of programs, system start up and use of removable devices.

Overview

This lab is part of a series of lab exercises designed through a grant initiative by the Center for Systems Security and Information Assurance (CSSIA) and the Network Development Group (NDG) and funded by the National Science Foundation’s (NSF) Advanced Technological Education (ATE) program Department of Undergraduate Education (DUE) Award No. 0702872 and 1002746.

In this lab, you will use various methods to determine if an attacker attempted a breach or successfully compromised a system. Some information about the attacker, such as the system’s IP address, may be lost if the machine is shut down. For this reason, an investigator collects volatile data such as an image of Random Access Memory (RAM) before shutting down a system.

OUTCOMES:

In this lab, you will learn to:

Obtain a dump of physical memory using DumpIt
Attack the victim system with Armitage
Use volatility to determine remote connections

Courses

Digital Forensics Fundamentals Skill Lab

Key terms and descriptions

DumpIt

Generates a copy of the system's physical memory and saves it as a file

Volatility

an open source analysis tool used for incident response and analysis

PsList

Will determine the running processes in RAM along with their corresponding characteristics.

connscan

Will determine the network connections (including IP addresses and ports) in RAM

Armitage

Metasploit is a very powerful exploitation framework, but it requires that the user be comfortable using the command line. Armitage is a GUI front end for Metasploit that has many powerful capabilities. An attacker can use Armitage to identify and exploit victim machines within an easy to use graphical environment.