Memory Forensics

S Abhishek

·

Follow

2 min read

·

Jul 13, 2021

--

Listen

Share

Introduction

• When a Cyber Attack happens, in order to eliminate such sort of future attack, it’s very important to know how the security breach has had happened.
• This is done using Memory Forensics.

What Is Memory Forensics?

Memory forensics is the process of collecting memory dumps and analyzing them for evidence of how a cyber crime happened, to backtrack events that led to a successful security breach etc.

• This is usually done after a cyberattack, but cybersecurity specialists can also do this as a routine check-up for malicious injections that could be running in the system.
• Memory forensics is used to analyze the volatile data in a computer’s memory dump.

Importance of Memory Forensics

• Memory forensics provides the details of runtime system activity, recently executed commands or processes, account credentials, chat messages, encryption keys, running processes, injected code fragments, internet history, network connections, etc.
• All programs ( malicious or otherwise ) must be loaded in memory in order to execute, making memory forensics difficult.
• Memory Forensics is done in three phases as Retrieval, Analysis, and Documentation.

Memory Acquisition/Retrieval/Extraction

• The first part of memory forensics is the acquisition/retrieval phase where all the activities and the actions that were taken place in a computer are recorded in the system’s memory to see when and where the cyberattack began.

Example: Retrieving an airplane’s black box after a crash.

• The system’s memory is retrieved by performing a memory dump where data in a system’s RAM such as browsing history, chat messages, and clipboard contents, etc are read and transferred to a storage device.
• Retrieving RAM data is important since this is volatile data which means that when a computer is powered off, data is lost immediately.

Example: Your unsaved work will be lost if the computer lose power before it’s saved.

Evidence Analysis

• The second phase is memory analysis where the system’s memory dump is analyzed for the signs of malicious activities, hidden folders, and to retrieve deleted or encrypted files.

Documentation

• The last phase of memory forensics is the documentation phase where all pieces of evidence and significant activities discovered during memory analysis are thoroughly analyzed and a report is generated.

Conclusion

• When a cyber-attack happens, it’s crucial to know when and how it happened so vulnerabilities can be addressed and cybercriminals can be tracked down.
• If you’re worried about your cybersecurity, now is a good time to do your own memory forensics to see if you have been compromised.