 Welcome back everyone today. We're going to be doing some very basic analysis of memory So we've already collected memory and here I have let's see what we have here I have this raw image this DD or raw raw memory image basically And I don't necessarily know anything about it. I have it in my images folder and it's exhibit number two So I have this memory image. Let's see how big it is LS LHA My forensic workstation that I'm working on is a Linux system But all of the tools that we're using today can also be installed in a Windows system I'll just be using them from Linux command line Okay, so here we have Exercise one dot raw and this is our memory image and it's a one gigabyte memory image and Right now, I don't really know anything about it. There are a few tools. We'll talk about later Where We will actually go into what this memory image is I'm gonna zoom in a little bit. Sorry about that Where we'll actually go in and talk about what this memory image is But today I'm going to show you how to analyze this memory image if you don't know anything about it So just doing a basic analysis. What can we what can we get out of it? So one thing that can be potentially interesting is for example Looking at the data and we say for example cat and that basically just reads all of the data and we can use cat and Exercise one dot raw and this will print out It will just display all of the data now some of this data is binary So I wouldn't want to just cat exercise raw. Otherwise, it would just show a bunch of Random stuff on my screen and it wouldn't be very useful for me So I want to cat this into something a little bit more useful so we can cat this into strings, so what I'm doing here is Saying read all of the data from exercise one dot raw and Then pipe and then send all of that data from exercise dot raw into the program Strings and what strings does is what it sounds like pulling out the strings From within all of that data basically converting everything to a string and then trying to show you individual words or individual Sentences that it finds in this data. So let's just run that real quick and see what we get Okay So you'll notice a lot of these strings like this for example they the strings detected this as a word But it doesn't look like a real word here. We have something that looks like a Blogspot web page Okay, so hacking github with webkit. I'm not really sure what this is, but we did find some some kind of interesting stuff Let's see reddit Yeah, so we know we know now just by looking at this that's this memory image contained somebody apparently downloading or using reddit and Potentially visiting blogspots and hacking blogs things like that. So now we might use that information to Refine kind of the keyword search that we want to use and we will do that in a second So I'm just looking around for anything else that might be interesting But so we can do a couple different things with this one of the most common things that we tend to do Okay, I don't see anything else immediately interesting. So I'm just going to go back down one of the other things that we find That might be interesting to do. I'm not sure what this is. This might be a name actually is basically take all of this data and then redirect the output into a Dictionary file. So if we ran this we would get this dictionary file with all of the strings that are available in memory Well, what kind of strings are available in memory things like passwords for example so if we if we were just going to Let's say we have to break the password on a suspect's computer Um, or we want to guess the password to a suspect's You know encryption or some sort of login or something like that Well, if the suspect ever typed in their password on their computer, it might still be resident in memory So if we dump all of the strings from memory, we might Be able to get their password out of it and a dictionary attack against passwords will be much faster than uh An attack or brute force attack against their password. So, um, we could potentially just dump all of these strings into um into a dictionary file and use that as A dictionary attack against some sort of um, encrypted folder or whatever they're trying to trying to do We could also what I kind of alluded to earlier is pipe the output of strings into a filter A filtering program and in this case we can do keyword searches. So here I can type grep And grep is a tool for basically searching for keywords. So what we already found is for example um Let's say net sec. We already know that somebody was looking at net sec So I want to find every instance of net sec so I can just grep Oops grep net sec Right, so here I'm outputting all of uh, exercise dot raw Piping the all of that data into strings and strings is coming up with all of these different strings Basically pulling out all those and then we are searching those strings for the word net sec and that should filter and we should get a lot less data Now notice what's getting pulled out of here a bunch of web pages Right, so the text for web pages that was loaded into memory. So locations um refers Some code basically related to net sec. So here Yeah, so all of these all of these password cracking on amazon ec2 All of these things we pulled out just very quickly actually from uh net sec and it looks like our username For the computer is andrew So that could be interesting as well. So now we can use We can go through and this is kind of a very quick way Quick and easy way to do keyword searching over A memory dump and there might be a couple reasons you do this, especially if you're doing An analysis of a user's computer If we're doing malware analysis or something like that and we know some keywords Potentially related to malware we might use it, but this is mostly relevant For things like getting out potential passwords or hashes or things like that or looking at different websites or keywords That were loaded into the system. Remember everything in this memory dump has been loaded onto the computer We could also potentially in this case look for Times Related to I don't know different activities that we know about Okay, so that's a little bit about keyword searching. We're just basically dumping Let me let me clear this out. We're just dumping all of the Contents of exercise one dot raw into strings and then filtering all of the strings results Using some sort of keyword filtering device that we want. Okay, so that's a relatively easy way Even if we don't know anything about exercise one dot raw, that's a quick way to begin Okay, so next we are going to use the tool photo rec to try to carve out not only images but also Files from this From this image so photo rec exercise one dot raw like we did before And whenever I load it up exercise one dot raw is detected and it has 10 24 megabytes So that's the size of our memory image that I want so then I could proceed Exercise one is a memory image so it does not have a partition So it will show up partition information will show up as unknown because there is no partition in Our memory image just a reminder. I'm going to go into file options and before we had only selected jpeg But for this memory image, I'm going to go ahead and select everything So I'm going to hit s for the default selection and it's basically going to select almost everything. Okay So now it's going to try to carve out all of these different types of Data structures from memory. Okay, so I'm going to click quit and go back now partition information unknown That's what I would expect so then click search And because it doesn't have a partition it also does not have a file system So I'm going to click other And then we have to give it a place to save the data So right now I'm in cases zero zero one images zero zero two, so I'm going to go up two levels So one two levels And I'm going to save all of this data into the temp folder. This is my working folder Where I I save any data that I have So then I click c and then now it's trying to recover all of the data and it recovered 2,916 files, so then I can click quit and I will go ahead and get out of Photoreck, okay, so now we can go into the temporary folder cases zero zero one temp Okay, and look in these recap directories And I get a lot of these different a lot of different files and some of them are just text files This actually looks like This actually looks like a valid text file of some type probably to do with I'm not sure the kernel or something like that And then there's some exes because there were exes loaded into memory There were dlls loaded into memory and I can scan all of these files now for viruses to see if any viruses were resident in memory We can also do an analysis on each of these exes here. I have a jpeg image So I'm going to go ahead and open this up. It looks like it's there's a little bit of fragmentation or it's a little bit corrupt But we did recover part of the image We had a cnn icon, so it looks like they might have gone to cnn So now I can do a lot of different things with these files once I've extracted them out if they're images. I can potentially See if those images hashes match any known databases for you know, illegal material or anything like that If they're exes or dlls, I can see if there's any virus. I can also scan them using a lot of different virus tools So this is a way to be able to pull out a lot of information from the From the suspect memory even if you don't necessarily know anything about the memory image. So so far today we've talked about acquiring or Getting information basically doing keyword searching building dictionaries and doing keyword searching Over a memory image if you don't know anything about the memory image You can just use cat and the memory image to get all of the strings out and then grip For whatever keywords you want or just dump those strings into a dictionary file and use that And then we also talked about using photorec to extract different data structures from memory So in this case, I've just basically allowed all data structures. I didn't focus only on jpegs, although I could and We extracted all of the data structures in memory and then now we have a directory full of data that was loaded onto that computer that we can search for illegal content for Maybe encrypted data that was encrypted on the hard drive that was unencrypted in memory We might be able to get an unencrypted copy of that data from memory So all of those types of things. So this is a way to At least begin memory analysis a relatively simple way to begin Analyzing memory even if you don't necessarily know anything about the memory image That's it for today. Thank you very much