What is memory forensics?

In commonly used modern computers such as PC, MAC and Linux there is a function for storing and utilizing volatile data. This is referred to as data that is always changing and require the system to be powered on to persist. The largest portion of memory in common systems is the RAM (Random Access Memory) in the form of physical devices on the system motherboard. Other components such as the CPU and GPU also contains a certain amount of memory for internal processes.

Considerations

If the digital investigator is tasked with preservation of the memory in a system, then the task should be approached carefully as the system containing the evidence is still active and should not be modified in any way that could affect the ongoing case. Because of the volatile nature of memory, the task of memory acquisition is one of the most precarious steps in the digital forensics process. It is important to remember that the data will be changed to some degree by the action of the memory collection process itself. This is where continuous notation of the steps and actions the digital investigator perform is crucial to the integrity of the evidence. Be sure to note down all actions, timestamps and tools used in the acquisition.

When to collect memory

Memory is often collected to uncover specific detailed information on the suspect's computer. When the system is active and the user is actively using applications and services, the memory will store information about these processes. This may include the suspect's active logon sessions, active processes and malware, cloud services, encrypted files that may have been viewed, cryptocurrency keys and more. In general we want to collect memory when the suspect is using the application or service we are particularly interested in and related to the case.

Memory acquisition

To acquire computer memory usually involve a procedure of collecting a copy of the contents of the memory at a specific point in time and storing it in another device or location for preservation. This can be done by utilizing forensic tools or backup utilities available to the digital investigator. In some cases, the system in question may be running in a virtual environment, meaning that we can ask the administrators for snapshots or a clone of the running system. If the system is not a VM as in most cases, we will have to check if it is running or is powered off. A system that is sleeping is often still running power throughout the components and will have active memory we can collect. If the system is powered off we can unfortunately not collect the active memory from the system but we could still make an effort to locate a hibernation file or crash dumps.

The hibernation file is a file that stores a current session in a file on the hard drive to quickly resume the session by loading the session back into RAM when powering the system back on. Crash dump files are files that are generated when the system fails (often referred to as "blue screen") to log the state of the system at that time. The amount of memory to generate usually depend on the system settings and is usually kernel based without user-specific logs, but it can in some systems be extended to include the entire memory of the system on crash.

Selecting a tool for memory acquisition may depend case by case and on which format you are looking for. A simple online search will list several tools for both acquisition and analysis of memory images / dumps. As different tools vary, and espesially in the area of memory forensics, no tools will be listed or mentioned in this article by name as a precaution to avoid deprecated and quickly outdated information.

Content