CSIRT-Collect is a PowerShell script that I wrote to automate to collection of a RAM image as well as a KAPE triage collection. I wanted to preserve the order of volatility and capture the RAM before any other artifact collection occurs. Version 3 by default leverages Magnet Ram Capture to collect the memory. You can utilize Winpmem or DumpIt with a minor code modification.
In this article we will be going to learn the how to capture the RAM memory for analysis, there are various ways to do it and let take some time and learn all those different circumstances call for a different measure.
Magnet RAM Capture
Magnet Forensics is a free RAM capturing or memory imaging tool which is used to capture the physical memory of suspects system, allows investigators to analyse and recover the valuable facts that are only found in the memory of the system.
Magnet Ram capture has a small memory footprint, that means investigator can run the tool while data is overwritten in memory. We can capture memory data in Raw (.DMP/.RAW/.BIN) format and easily analyse them.
After completing the process, it shows a pop-up message which indicates the process is successful and provides us the path location were our captured memory is located which we were provided earlier by us.
After providing all the details it starts to load its drivers to start the process of capturing the memory image, now it shows the active live progression of the task given by us to capture the memory image.
This comes with a small, and fast-booting forensic image analysis in a microkernel that runs from portable media. It physically boots the device, captures and authenticates a computer system, and reconstructs the filesystem.
RAM evidence captured by the tool includes processes and programs, network connections, registry hives, malware intrusion evidence, decrypted keys and files, usernames and passwords, and any other activity not usually stored on the hard disk.
Pros: It extracts image files on webpages being viewed. It can capture files such as JavaScript and CSS on a website, which can help detect malware. It preserves a webpage while it is being viewed by a user.
RegRipper is a flexible open source tool that can facilitate registry analysis with ease. It contains pre-written Perl scripts for the purpose of fetching frequently needed information during an investigation involving a Windows box. We are using RegRipper because of the simplicity of the tool and the availability of numerous plugins that capture specific information from the registry.
There are several forensics applications specifically designated to capture the RAM memory, among them FTK Imager, EnCase Imager, Magnet RAM capture and others. Even for cases when the computer has been turned off, it is possible to obtain RAM information from the dump that the Windows system produces when the computer goes to sleep or is turned off. In these cases, it is about analyzing one of the files that will be present in the disk image: hiberfil.sys. This file reflects the contents of memory at a certain moment (for example, when the computer hibernated for the last time), depending on how the Windows system of the corresponding computer is configured. The process of this file presents some additional complications with the newer versions of Windows (from Windows 8 on), since it is compressed and must be previously unzipped before being analyzed.
RAM is generally an unstructured memory space but there are some frameworks specially designated for its analysis. Perhaps the most known and used is Volatility, which is a framework that has been around since 2007. Using Volatility, it is possible to forensically examine RAM captures to determine processes running at the time of capture, their relations (parent-child), clipboard content, user sessions, active Windows services and other forensically usable information. Volatility framework works with Windows, Mac and Linux systems.
MAGNET RAM Capture is probably one of the most well-known free tools Magnet Forensics offers. As its name suggests, you can utilize MAGNET RAM Capture to acquire the physical memory of a Windows computer. When launching the GUI instance of MAGNET RAM Capture, you will be presented with information detailing how much physical memory will be captured, a text entry field for the memory capture storage location, and an option to segment the memory capture.
And several other popular full-disk encryption solutions. This is a beneficial option when examining systems in an environment you may be unfamiliar with. In theory, by the time you run this tool you have already utilized MAGNET RAM Capture, so using something like Passware with that memory capture would likely provide a method to access those encrypted volumes. But why takes chances? If you can identify a full-volume encrypted disk on the system that is powered on and accessible using Encrypted Disk Detector, you just may decide to live image that device before powering down the system.
The MAGNET Web Page Saver can be used to capture the content of a web page as it exists at a point in time. This is a great resource to have during the investigative process as web page content can change over time. The tool offers both automatic and manual capturing and users can import a list of URLs when multiple pages need to be captured, useful when generating a report of URLs of interest from an AXIOM case.
Additionally, a log is created showing the start and completion of the web page capture, and hashing is performed on the downloaded HTML content if that option is enabled. This provides not only the ability to capture web page data that is relevant to an investigation but also a method for demonstrating web content has not been altered after download.
Memory analysis is an essential component of incident response and network forensics. It involves leveraging various tools to capture and analyze memory dumps to uncover malicious activity, malicious code, and other forensically relevant evidence.
UNIX systems have a long history of using core dumps for troubleshooting. Sam Gwydir, in his 2017 presentation on BSD core dump history, discussed the introduction of doadump() more than 40 years ago, which enabled UNIX core dumps to be stored to magnetic tapes and eventually to hard disks, files, and networks.
Magnetoresistive random-access memory (MRAM) is a type of non-volatile random-access memory which stores data in magnetic domains.[1] Developed in the mid-1980s, proponents have argued that magnetoresistive RAM will eventually surpass competing technologies to become a dominant or even universal memory.[2] Currently, memory technologies in use such as flash RAM and DRAM have practical advantages that have so far kept MRAM in a niche role in the market.
Unlike conventional RAM chip technologies, data in MRAM is not stored as electric charge or current flows, but by magnetic storage elements. The elements are formed from two ferromagnetic plates, each of which can hold a magnetization, separated by a thin insulating layer. One of the two plates is a permanent magnet set to a particular polarity; the other plate's magnetization can be changed to match that of an external field to store memory. This configuration is known as a magnetic tunnel junction and is the simplest structure for an MRAM bit. A memory device is built from a grid of such "cells".
The simplest method of reading is accomplished by measuring the electrical resistance of the cell. A particular cell is (typically) selected by powering an associated transistor that switches current from a supply line through the cell to ground. Because of tunnel magnetoresistance, the electrical resistance of the cell changes with the relative orientation of the magnetization in the two plates. By measuring the resulting current, the resistance inside any particular cell can be determined, and from this the magnetization polarity of the writable plate. Typically if the two plates have the same magnetization alignment (low resistance state) this is considered to mean "1", while if the alignment is antiparallel the resistance will be higher (high resistance state) and this means "0".
Data is written to the cells using a variety of means. In the simplest "classic" design, each cell lies between a pair of write lines arranged at right angles to each other, parallel to the cell, one above and one below the cell. When current is passed through them, an induced magnetic field is created at the junction, which the writable plate picks up. This pattern of operation is similar to magnetic-core memory, a system commonly used in the 1960s.
However, due to process and material variations, an array of memory cells has a distribution of switching fields with a deviation σ. Therefore, to program all the bits in a large array with the same current, the applied field needs to be larger than the mean "selected" switching field by greater than 6σ. In addition,the applied field must be kept below a maximum value. Thus, this "conventional" MRAM must keep these two distributions well-separated. As a result, there is a narrow operating window for programming fields; and only inside this window, can all the bits be programmed without errors or disturbs. In 2005, a "Savtchenko switching" relying on the unique behavior of a synthetic antiferromagnet (SAF) free layer is applied to solve this problem.[4] The SAF layer is formed from two ferromagnetic layers separated by a nonmagnetic coupling spacer layer. For a synthetic antiferromagnet having some net anisotropy Hk in each layer, there exists a critical spin flop field Hsw at which the two antiparallel layer magnetizations will rotate (flop) to be orthogonal to the applied field H with each layer scissoring slightly in the direction of H. Therefore, if only a single line current is applied (half-selected bits), the 45 field angle cannot switch the state. Below the toggling transition, there are no disturbs all the way up to the highest fields. 2ff7e9595c
Comments