Mastering Windows Network Forensics and Investigation Chapter 6: Live Analysis Techniques
Chapter Topics: Prepare a toolkit to acquire RAM from a live system Identify the pros and cons of performing a live analysis
Finding Evidence in Memory Hackers attempt to hide evidence of their activities The traditional focus of of LE forensics is the hard drive of the victim Hackers have designed their toolsets around this philosophy by using code that will only execute in RAM –DLL injections –Hooks
IR Considerations Pulling the plug will remove invaluable data from RAM Keep interaction with the target to a bare minimum Bring your own trusted tools! Think before you act…then think again Document everything
Creating a Live-Analysis Toolkit Think about the reason for performing every action Use only trusted and validated analysis tools Request intimate details about target system –OS? –Architecture? (32 vs 64 bit?) Assume you only have but one shot to capture volatile data correctly
RAM Acquisition Tools DumpIt –Creates binary dump –Supports 32/64-bit –CLI WinEN –Creates EnCase evidence file –Supports 32/64-bit –CLI FTK Imager Lite –Creates binary dump –Supports 32/64-bit –GUI-based
RAM Analysis Tools Volatility 2.0 –Open source RAM analysis tool –Active network connections –Running processes –Loaded DLLs Memoryze Consider mounted encrypted volumes
Monitoring Communications Network Sniffer –Analyze which IP’s are engaged with victim systems –Which ports are being used –Network packet payload
Monitoring Communications Network Port Scanner –Analyze which ports are open on the network –Determine what services are legitimate Open Source Tools –Nmap