P

Lecture 18 Memory Forensics and Data Recovery

Volatile Memory

  • Volatile memory (e.g., RAM) functions differently than storage.

  • RAM stores temporary data accessed at speed by the OS and applications.

  • Temporary data can be of interest to investigations

    Storage holds information even when no charge is

    present

    – Power is required to operate on stored data

    – Power is required to delete storage contents

    • Volatile memory (RAM) only holds information when

    charged

    – Power is required to hold and operate on data

    – Read/Write is faster than that of storage

    – Useful for allowing apps to function quickly

  • Volatile memory requires power to hold information, unlike storage.

  • Data in RAM decays but not immediately; cooling slows decay.

  • As forensic investigators, understand data behavior: powering off may wipe memory, powering on WILL wipe memory.

Recovering Memory

  • Ensure data integrity: explainable changes, follow ACPO principles, image from source.

  • ACPO guidance addresses volatile memory recovery.

  • Unavoidable modifications: running imaging software modifies RAM.

  • Data of interest: running processes, logged users, network info, ARP cache, registry info.

    Before any attempt at data recovery, we must:

    1. Ensure that changes are explainable, especially if

    you recover memory by using software on a

    running computer or device;

    2. Follow the ACPO principles (covered in Lectures

    16 and 17);

    3. Follow the same protocols as we do when

    imaging storage: image from source and never

    run experiments on source.

Memory Forensics Checklist

  • Assess risks before live investigation.

  • Use a portable app (Volatility) on a USB stick.

  • Collect data, verify output, and power off the target machine.

Memory Recovery Techniques

  • Dumping memory from an unlocked machine is relatively simple using FTKImager or similar.

  • Memory imaging: read operations saved to non-local storage.

  • Cold boot method: recover keys from locked, encrypted devices by exploiting memory decay.

  • Cooling RAM slows data decay, aiding extraction.

  • Data extraction steps: freeze RAM, remove, plug into another machine, boot, and dump before OS boot.

Data Validation and Parsing

  • Parse memory: raw data (hex format) or structured data using OS specifications.

  • Volatility: a tool to view system data, network connections, programs, and attached devices without manual parsing.

  • System information is obtained from OS data held in memory.

  • Registry data tracks executed programs.

  • Volatility has limitations: requires known data structures, symbol sets, and expert knowledge.

Identifying Keys

  • Locate keys: decryption keys have high entropy, unlike most RAM content.

  • Key size is important for statistical testing; block ciphers use rounds of encryption.

  • High entropy data block size depends on the number of rounds and key size: (Nr + 1) * Sk.

  • For AES-256: (14 + 1) * 256, which is 3840 bits.

  • Statistical tests (Shannon Entropy, Runs, Chi-Square) identify high entropy regions.