Memory Forensics
2 min readJul 13, 2021
Introduction
- When a
Cyber Attack
happens, in order to eliminate such sort of future attack, it’s very important to know how the security breach has had happened. - This is done using
Memory Forensics
.
What Is Memory Forensics?
Memory forensics is the process of collecting memory dumps and analyzing them for evidence of how a cyber crime happened, to backtrack events that led to a successful security breach etc.
- This is usually done after a cyberattack, but cybersecurity specialists can also do this as a routine check-up for malicious injections that could be running in the system.
- Memory forensics is used to analyze the volatile data in a computer’s memory dump.
Importance of Memory Forensics
- Memory forensics provides the details of runtime system activity, recently executed commands or processes, account credentials, chat messages, encryption keys, running processes, injected code fragments, internet history, network connections, etc.
- All programs ( malicious or otherwise ) must be loaded in memory in order to execute, making memory forensics difficult.
- Memory Forensics is done in three phases as Retrieval, Analysis, and Documentation.
Memory Acquisition/Retrieval/Extraction
- The first part of memory forensics is the acquisition/retrieval phase where all the activities and the actions that were taken place in a computer are recorded in the system’s memory to see when and where the cyberattack began.
Example: Retrieving an airplane’s black box after a crash.
- The system’s memory is retrieved by performing a memory dump where data in a system’s RAM such as browsing history, chat messages, and clipboard contents, etc are read and transferred to a storage device.
- Retrieving RAM data is important since this is volatile data which means that when a computer is powered off, data is lost immediately.
Example: Your unsaved work will be lost if the computer lose power before it’s saved.
Evidence Analysis
- The second phase is memory analysis where the system’s memory dump is analyzed for the signs of malicious activities, hidden folders, and to retrieve deleted or encrypted files.
Documentation
- The last phase of memory forensics is the documentation phase where all pieces of evidence and significant activities discovered during memory analysis are thoroughly analyzed and a report is generated.
Conclusion
- When a cyber-attack happens, it’s crucial to know when and how it happened so vulnerabilities can be addressed and cybercriminals can be tracked down.
- If you’re worried about your cybersecurity, now is a good time to do your own memory forensics to see if you have been compromised.