Memory Forensics
Comparing the correctness of memory captures from locked Windows 10 machines using different boot capture vectors.
Abstract
Memory forensics is rapidly becoming a critical part of all digital forensic investigations. The value of information stored within a computer’s memory is immense; failing to capture it could result in a substantial loss of evidence. However, it is becoming increasingly more common to find situations where standard memory acquisition tools do not work. The paper addresses how an investigator can capture the memory of a locked computer when authentication is not present. The proposed solution is to use a bootable memory acquisition tool, in this case, Passware Bootable Memory Imager. To enhance the findings, three different reboot methods will be tested to help identify what would happen if the recommended warm reboot is not possible. Using a warm reboot and a secure reboot, Passware Bootable Memory Imager was able to successfully acquire the memory of the locked machine, with the resulting captures being highly representative of the populated data. However, the memory samples collected after a cold reboot did not retain any populated data. These findings highlight that to capture the memory of a locked machine, the reboot method is highly successful, providing the correct method is followed.
Downloads
References
A. Case and G. Richard III, “Memory forensics: The path forward,” Digital Investigation, vol. 20, pp. 23-33, 2017.
A. Chetry and U. Sharma, “Memory Forensics Analysis for Investigation of Online Crime - A Review,” in 6th International Conference on Computing for Sustainable Global Development, Delhi, 2019.
C. Tardi, “Moore’s Law,” 23 February 2021. [Online]. Available: https://n9.cl/nywim
J. Williams, “ACPO Good Practice Guide for Digital Evidence,” Association of Chief Police Officers, London, 2011.
Lucideus, “Windows Volatile Memory Acquisition & Forensics 2018 | Lucideus Forensics,” 29 October 2018. [Online]. Available: https://medium.com/@lucideus/windows-volatile-memory-acquisition-forensics-2018-lucideus-forensics-3f297d0e5bfd.
M. Martínez, “Impact of Tools on The Acquisition of RAM Memory,” The International Journal of Cyber Forensics and Advanced Threat Investigations, vol. 1, pp. 3-17, 2021.
M. Faiz and W. Prabowo, “Comparison of Acquisition Software for Digital Forensics Purposes,” Kinetik: Game Technology, Information System, Computer Network, Computing, Electronics, and Control, vol. 4, pp. 37-44, 2019.
T. Mahesan, “Comparison of Memory Acquisition Software for Windows,” 26 Dec 2020. [Online]. Available: https://thanursan.medium.com/comparison-of-memory-acquisition-software-for-windows-e8c6d981db23.
T. Latzo, R. Palutke and F. Freiling, “A universal taxonomy and survey of forensic memory acquisition techniques,” Digital Investigation, vol. 28, pp. 56-69, 2019.
T. Latzo, M. Schulze and F. Freiling, “Leveraging Intel DCI for Memory Forensics,” in The Digital Forensic Research Conference, USA, 2021.
T. Vidas, “Volatile Memory Acquisition via Warm Boot Memory Survivability,” in 43rd Hawaii International Conference on System Sciences, Hawaii, 2010.
S. Vömel and F. Freiling, “Correctness, atomicity, and integrity: Defining criteria for forensically-sound memory acquisition,” Digital Investigation, vol. 9, pp. 125-137, 2012.
M. Gruhn and F. Freiling, “Evaluating atomicity, and integrity of correct memory acquisition methods,” Digital Investigation, vol. 16, pp. s1-s10, 2016.
M. Ligh, A. Case, J. Levy and A. Walters, The art of memory forensics: detecting malware and threats in Windows, Linux and Mac memory, New York: Wiley, 2014.
Y. Gourenko, “How to use Passware Bootable memory Imager,” 19 Oct 2021. [Online]. Available: https://support.passware.com/hc/en-us/articles/1500000308641-How-to-use-Passware-Bootable-Memory-Imager.
A. Case, “Volatility Wiki,” 17 April 2020. [Online]. Available: https://github.com/volatilityfoundation/volatility/wiki.
VMware, “Configuring and Managing Virtual Machines,” 31 May 2019. [Online]. Available: https://docs.vmware.com/en/VMware-Workstation-Pro/16.0/com.vmware.ws.using.doc/GUID-62F39498-1492-4774-A38D-1EDD3DA3C046.html.
This article is published by LAJC under a Creative Commons Attribution-Non-Commercial-Share-Alike 4.0 International License. This means that non-exclusive copyright is transferred to the National Polytechnic School. The Author (s) give their consent to the Editorial Committee to publish the article in the issue that best suits the interests of this Journal. Find out more in our Copyright Notice.
Disclaimer
LAJC in no event shall be liable for any direct, indirect, incidental, punitive, or consequential copyright infringement claims related to articles that have been submitted for evaluation, or published in any issue of this journal. Find out more in our Disclaimer Notice.