 Welcome back, everyone. Today we're going to be doing some very basic analysis of memory. So we've already collected memory. And here I have, let's see what we have here. I have this raw image, this DD, or raw, raw memory image, basically. I don't necessarily know anything about it. I have it in my images folder, and it's exhibit number two. So I have this memory image, and let's see how big it is, L-S-L-H-A. My forensic workstation that I'm working on is a Linux system, but all of the tools that we're using today can also be installed in a Windows system. I'll just be using them from Linux command line. Okay, so here we have exercise1.raw, and this is our memory image, and it's a one gigabyte memory image. And right now I don't really know anything about it. There are a few tools we'll talk about later where we will actually go into what this memory image is, I'm going to zoom in a little bit, sorry about that, where we'll actually go in and talk about what this memory image is. But today I'm going to show you how to analyze this memory image if you don't know anything about it. So just doing a basic analysis, what can we get out of it? So one thing that can be potentially interesting is, for example, looking at the data, and we say, for example, cat, and that basically just reads all of the data, and we can use cat and exercise1.raw, and this will print out, it will just display all of the data. Now some of this data is binary, so I wouldn't want to just cat exerciseraw, otherwise it would just show a bunch of random stuff on my screen, and it wouldn't be very useful for me. So I want to cat this into something a little bit more useful. So we can cat this into strings. So what I'm doing here is saying read all of the data from exercise1.raw, and then pipe, and then send all of that data from exercise.raw into the program strings. And what strings does is what it sounds like pulling out the strings from within all of that data, basically converting everything to a string, and then trying to show you individual words or individual sentences that it finds in this data. So let's just run that real quick and see what we get. Okay, so you'll notice a lot of these strings like this, for example, the strings detect that this is a word, but it doesn't look like a real word. Here we have something that looks like a blogspot web page. Okay, so hacking GitHub with WebKit. I'm not really sure what this is, but we did find some some kind of interesting stuff. Let's see Reddit. Yeah, so we know now just by looking at this that this memory image contained somebody apparently downloading or using Reddit and potentially visiting blogspots and hacking blogs, things like that. So now we might use that information to refine kind of the keyword search that we want to use. And we will do that in a second. So I'm just looking around for anything else that might be interesting. But so we can do a couple of different things with this. One of the most common things that we tend to do. Okay, I don't see anything else immediately interesting. So I'm just going to go back down. One of the other things that we find that might be interesting to do, I'm not sure what this is, this might be a name, actually, is basically take all of this data, and then redirect the output into a dictionary file. So if we ran this, we would get this dictionary file with all of the strings that are available in memory. Well, what kind of strings are available in memory? Things like passwords, for example. So if we if we were just going to, let's say we have to break the password on a suspect's computer, or we want to guess the password to a suspect's, you know, encryption or some sort of login or something like that. Well, if the suspect ever typed in their password on their computer, it might still be resident in memory. So if we dump all of the strings from memory, we might be able to get their password out of it. And a dictionary attack against passwords will be much faster than an attack or brute force attack against their password. So we could potentially just dump all of these strings into into a dictionary file and use that as a dictionary attack against some sort of encrypted folder or whatever they're trying to trying to do. We could also what I kind of alluded to earlier is pipe the output of strings into a filter, a filtering program. And in this case, we can do keyword searches. So here I can type grep. And grep is a tool for basically searching for keywords. So what we already found is, for example, let's say net sec, we already know that somebody was looking at net sec. So I want to find every instance of net sec so I can just grep, oops, grep net sec. Right. So here I'm outputting all of exercise.raw piping the all of that data into strings and strings is coming up with all of these different strings basically pulling out all those. And then we are searching those strings for the word net sec. And that should filter. And we should get a lot less data. Now notice what's getting pulled out of here, a bunch of web pages. Right. So the text for web pages that was loaded into memory. So locations refers some code basically related to net sec. So here. Yeah, so all of these, all of these password cracking on Amazon is EC to all of these things we pulled out just very quickly actually from net sec. And it looks like our username for the computer is Andrew. So that could be interesting as well. So now we can use we can go through and this is kind of a very quick way quick and easy way to do keyword searching over a memory dump. And there might be a couple reasons you do this, especially if you're doing an analysis of a user's computer, if we're doing malware analysis or something like that, and we know some keywords potentially related to malware, we might use it. But this is mostly relevant for things like getting out potential passwords or hashes or things like that, or looking at different websites or keywords that were loaded into the system. Remember, everything in this memory dump has been loaded onto the computer, we could also potentially in this case look for times related to, I don't know, different activities that we know about. Okay, so that's a little bit about keyword searching. We're just basically dumping. Let me clear this out. We're just dumping all of the contents of exercise one dot raw into strings, and then filtering all of the strings results using some sort of keyword filtering device that we want. Okay, so that's a relatively easy way, even if we don't know anything about exercise one dot raw, that's a quick way to begin. Okay, so next we are going to use the tool photo rec to try to carve out not only images, but also files from this from this image. So photo rec exercise one dot raw like we did before. And whenever I loaded up exercise one dot raw is detected and it has 1024 megabytes. So that's the size of our memory image that I want. So then I could proceed. Exercise one is a memory image. So it does not have a partition. So it will show up partition information will show up as unknown because there is no partition in our memory image. Just a reminder, I'm going to go into file options. And before we had only selected JPEG. But for this memory image, I'm going to go ahead and select everything. So I'm going to hit s for the default selection. And it's basically going to select almost everything. Okay, so now it's going to try to carve out all of these different types of data structures from memory. Okay, so I'm going to click quit and go back now partition information unknown. That's what I would expect. So then click search. And because it doesn't have a partition, it also does not have a file system. So I'm going to click other. And then we have to give it a place to save the data. So right now I'm in cases 001 images 002. So I'm going to go up two levels. So one, two levels. And I'm going to save all of this data into the temp folder. This is my working folder, where I save any data that I have. So then I click C. And then now it's trying to recover all of the data. And it recovered 2,916 files. So then I can click quit. And I will go ahead and get out of photo. Okay, so now we can go into the temporary folder cases 001 temp. Okay, and look in these recap directories. And I get a lot of these different, a lot of different files. And some of them are just text files. This actually looks like this actually looks like a valid text file of some type, probably to do with, I'm not sure the kernel or something like that. And then there's some exes because there were exes loaded into memory, there were DLLs loaded into memory. And I can scan all of these files now for viruses to see if any viruses were resident in memory. We can also do an analysis on each of these exes. Here I have a JPEG image. So I'm going to go ahead and open this up. It looks like it's there's a little bit of fragmentation or it's a little bit corrupt. But we did recover part of the image. We had a CNN icon. So it looks like they might have gone to CNN. So now I can do a lot of different things with these files once I've extracted them out. If there are images, I can potentially see if those images hashes match any known databases for, you know, illegal material or anything like that. If they're exes or DLLs, I can see if there's any virus. I can also scan them using a lot of different virus tools. So this is a way to be able to pull out a lot of information from the suspect memory, even if you don't necessarily know anything about the memory image. So far today, we've talked about acquiring or getting information basically doing keyword searching, building dictionaries and doing keyword searching over a memory image. If you don't know anything about the memory image, you can just use cat and the memory image to get all of the strings out and then grip for whatever keywords you want or just dump those strings into a dictionary file and use that. And then we also talked about using photorec to extract different data structures from memory. So in this case, I've just basically allowed all data structures. I didn't focus only on JPEGs, although I could. And we extracted all of the data structures in memory. And then now we have a directory full of data that was loaded onto that computer that we can search for illegal content for maybe encrypted data that was encrypted on the hard drive that was unencrypted in memory. We might be able to get an unencrypted copy of that data from memory. So all of those types of things. So this is a way to at least begin memory analysis, a relatively simple way to begin analyzing memory, even if you don't necessarily know anything about the memory image. That's it for today. Thank you very much.