 This week we're talking about random access memory. I'll get more into analyzing random access memory in the practice, but I'll just tell you a little bit today about what random access memory can do for us, what it is, how it helps us in our investigations, and a little bit about how it works. So, I normally say that RAM is one of the most valuable pieces of data or data sources that we can have in our investigations. And that's because RAM contains information that has not been written to disk and also potentially information that will never be written to disk. So, as long as the computer is on, everything that's running in that system, all that data has to be stored in memory or RAM. So, it becomes very important for investigations because think about all of the things that are running on your computer right now, how much of them potentially relate to activities that you are doing, right? Almost everything we can see in RAM relates back to user activities, or we can say that somebody was doing something or running something because we're looking at RAM. So, the data comes from, the data in RAM comes from running programs, the operating system, network traffic, and obviously user activities, interactions with the system itself. So, random access memory works a lot like the hard drive where we write a file to the hard drive and it's a little bit slow, but we can still save data. And whenever we shut the computer down, data on the hard drive is still saved. But with RAM, we write data to RAM just to be able to work with it, because it's very fast, whenever we shut the computer down, everything that's in RAM is removed or cleaned out or deleted basically. So, the way that RAM works is also quite a bit similar to hard drives in the fact that whenever I write a file to the hard drive, whenever I delete that file, Windows or whatever operating system just marks the file as deleted, but it keeps all of the data on the hard drive and it can just be overwritten later. So, that's why we're able to recover some information from a hard drive. RAM works in very much the same way. So, whenever I load a file into memory, whenever I don't need that file anymore, then the operating system just says, okay, this space is available, but it doesn't actually delete the data while the computer is on. So, in that case, if I make a copy of memory, I can recover, potentially recover, most of the files that have been loaded into memory within a relatively short period of time. Since most people keep their laptops or computers on for quite a while, I might be able to recover a lot of old information that's been in the system. Yeah, so similar to the file system, data can persist for a long time in memory and is, if it's not rewritten or overwritten by the operating system, RAM is commonly littered with old documents and these old documents are normally what we're interested in, depending on the type of case we're looking at, and all information in RAM is lost upon powering down the computer. This is the important thing. If the computer shuts off, then we lose everything in memory and if we turn the computer back on, it doesn't really help us as much. So this means that if we want to actually collect RAM, it has to be done at the suspect's house or the victim's house or the business that we're investigating. So you have to actually collect this on scene. The first responders are the ones that are going to have to collect this memory. We copy it pretty much the same way that we create a disk acquisition. We use very similar tools and we'll talk about the tools a little bit later. So looking for traces of evidence, traces of evidence in RAM could be things like lists of all running processes. So all of the processes that are in RAM, everything that's running, we can potentially recover that list and that's really useful, for example, for malware analysis. So analyzing malware, sometimes the malware attempts to hide its processes, but if we can recover or get a copy of RAM, we can potentially recover all of the processes that are currently running. Process information, all of the drivers that are loaded. So again, malware, if it's loading other software, loading drivers or some webcam driver was loaded or something like that, we can see what drivers have been loaded. We can also get malware that's resident in memory only. So some types of malware do not write themselves to disk because then they might be detected by an antivirus. So they are only resident in memory and then they just try to re-infect systems over and over again. Strings, basically keywords or words that are in memory, these are things like passwords or cryptographic keys. So think about for your computer, you type in your username and password. Well, whenever you type in your username and password, all of that information has to go to RAM for the computer to be able to work with it. So if we're dealing with a suspect system, we make a copy of memory, we may be able to recover different user names, passwords or any kind of hidden information or input information input into, for example, fields or boxes. Command line information, if your suspect is using the command line and they clear out their command line history, we can still recover potentially some of the commands that have been run, some of the connections that have been made if we're looking at RAM. Starting date, starting time and starting users, data from open files, which I'll talk about in a second. Keystrokes I've already talked about, username is in passwords. One of the most important, one of the ones that I use a lot are is unencrypted data from encrypted disk sources. So if our hard drive is encrypted or we have an encrypted file and the suspect or potentially the victim opened up that file, whenever they open that file, the encrypted disk that we can't get access to, if they open it up, then all of the data is unencrypted in memory and that's how they access it. So if I open up a, for example, kind of like a zip file, all of the files inside have to be put into memory so I can access them if it's an encrypted disk. So everything that I open up that might be encrypted on the hard drive, we can potentially recover from RAM in its unencrypted form, right? But only if we can recover RAM and they haven't shut down the computer, things like that. Data or information that might be resident on the hard drive that we won't be able to get access to or it'll be very difficult to get access to can be available in RAM, much, much easier basically, okay? Open file handles and also latent files in RAM that have been wiped from disks. So very similar to the encrypted files, maybe I had illegal pictures on my hard drive and I opened them up to look at them and then I knew the police were coming so I deleted the images. Well, because I opened them up, they're now resident in memory and whenever I delete them from the hard drive, they're deleted only from the hard drive and not from RAM. They might be overwritten in RAM depending on how long it took but I can still potentially recover fragments of the image or potentially all of the image if I have a copy of RAM. So again, there's a lot of information that we might be able to get from RAM that's no longer resident on the hard drive. So some limitations of acquiring RAM. First off, the process of imaging memory changes the contents of memory. We can only take a copy of memory while the computer is on, right? So that means that we have to actually interact with the computer and we have to load a program onto the computer which loads the program into the RAM that we're trying to copy. This is very, very different from a hard drive. So with hard drives, we're using write blockers. We can get an image of a hard drive without modifying any data. With RAM, the data is always changing and we have to change a little bit of the data to be able to copy everything. So the implications for Quartz, it's much more difficult to prove to Quartz that we've done the correct processes whenever we're doing this called live data forensics or RAM acquisition. So you have to have really good documentation about how you collected RAM, why you collected RAM, and all of the processes that you went through to be able to actually get an acquisition. And we'll talk about that and how to document it properly. The contents of memory are changing while the imaging process is running because we're running a program and the computer's still on. So the operating system is also changing RAM all the time. This means that before with a hard drive, we would start by taking a hash of the original disk. But with RAM, it's always changing so that first hash is completely worthless to us. We can only take a hash of memory. Once we acquire an image file, then we can hash the image file that we collected. So the implication is RAM dumps cannot be verified. They can't be verified in a very straightforward way. All of our verification comes from documentation. The memory image is the same size as the original amount of physical memory installed on the system. We normally don't image RAM in some sort of compressed format, though we can compress it later if we need to save space. Now, unless you're dealing with servers, most likely desktops are only gonna have about 16 gig, maybe 20 gig of RAM in them. Server systems will have a lot more. So we approach servers and corporations a little bit differently. We'll talk about that as well. Memory imaging can be slow, but it's not nearly as slow. So the thing to think about here is you're a first responder going into the suspect's house or maybe a business. And if you want to collect RAM from an average system now, it's gonna take you anywhere from maybe 10 minutes to 45 minutes. And in some places, you might not wanna be there for 45 minutes. So how can you get a copy of memory very, very fast is essentially the question. This comes down to what are the speeds of your hard drives or where are you copying the data to and how fast does that hard drive save data essentially. Windows Vista 7, 8, 10 OSX and Linux must have administrative privileges to access physical memory. So you have to have your admin password. In Windows systems, you can usually, if it's already logged in, just click okay. But for OSX and Linux systems, you actually have to be able to log in as some sort of administrator user, which becomes very difficult because it's hard to get those credentials to be able to access it. So memory acquisition, Windows 2000 XP in 2003, we had user level access so we could essentially access RAM more or less directly. We didn't have to have any special permissions. All of the newer versions of Windows, we do have to have special permissions for. So if you're dealing especially with a business, you will have to have credentials and some sort of administrator helping you get those credentials. It's also usually possible to utilize what's called FireWire or IEEE 1394 interfaces to be able to access up to four gigabytes of RAM directly outside of the system. So if I have a computer that has a FireWire interface, I can connect it to another computer and get access to four gig and I can make copies of that four gig. Luckily, usually for most systems, if there's a password available in RAM, it's going to be in the first four gigs. So we've had a lot of success with getting into systems once we collect memory over FireWire like that. Although we're not seeing FireWire too much anymore, especially on PCs. For OSX and Linux, the way that we accessed memory before, we could have direct access to all memory, which was very nice for us, but viruses also got direct access to memory and that's how they stole a lot of information. So for the last maybe five years, OSX and Linux have really tightened up so it's much more difficult for investigators to get copies of memory. Though we do have some tools and we'll talk about one of them specifically today. All right, so with OSX and Linux systems, as long as there's a FireWire port and FireWire is a piece of hardware, as long as it's on the system itself, we can also use the same techniques to get direct memory access. For Linux systems, the driver for FireWire has to be loaded, but in most systems, you can probably get at least some information out of it. So I have a little bit here about how RAM works. It's mostly for your reference, but I'll go through it really quick anyway. Basically the operating system is doing memory management. They're controlling how programs are interacting with memory and what space programs get. So if I, for example, double click on Microsoft Word, Microsoft Word wants to open up and show you a page that you can type in. Well, Microsoft Word essentially talks to the operating system and says, hey, I need some RAM because I need to run. So the operating system finds an empty space in RAM that Microsoft Word can load into and then it gives it the address. Then Microsoft Word loads into that space and then it can do whatever it want with that limited area. And basically it's just the program and the operating system working together to manage what things are in memory and what they can access, what they can't access. So all of this is handled by what's called the kernel. The kernel is just basically the brain of the operating system and every operating system handles it a little bit differently, of course, but we don't really need to worry about that. We do need to at least know, whenever we're doing our analysis, what the operating system was, the version of the operating system, whether it's 32-bit or 64-bit, as specific information as possible because the data structures in RAM will be different depending on the operating system and the service pack of the operating system and 32-bit versus 64-bit, et cetera. So really all you need to know to start with RAM analysis is what specifically is the operating system and what information do we have from that? Once we copy it, we need that information to be able to analyze the RAM dump correctly. Okay, so some tools to acquire RAM. Again, this is also pretty much for your reference. I will upload the tools that we're going to use on the classroom, but some of the more popular tools for Windows are FTK Imager, which we will use, X-Ways, Capture, WinIn, Win32DD and MDD, Helix Pro and of course FireWire. For OSX, OSX is a little bit more difficult, like I said, the best program that I've found so far for OSX is Mac Memory Reader. Also, the IEEE interface works pretty well with Mac, but now most Mac systems have more than four gig of RAM. For Linux, we'll use LIME. Right now, that's probably the most reliable way to collect memory from Linux and Android devices. And there's also something called the cold boot attack, which is essentially making RAM really, really cold and then shutting down the computer, taking it out and putting it in another computer as fast as possible and copying it. I will give you a link to the paper that talks about that method. It does take some practice, but in some cases, it can work pretty well. So the biggest obstacle we have with RAM acquisition and analysis is really screensavers. Screensavers or lock screens or just getting into the system in the first place, because we have to be able to run a program on the computer, so we have to be able to get in and access the computer with some administrative privileges. So there are a few different tools that I'll also link to that try to get around screensavers or try to access the system in different ways without shutting the computer down and I'll link to those. Okay, so that's pretty much it for this week. I'll have some references for you online about direct memory access and how we can use that, how to get into systems that might be locked and also a lot of tools that you can use for Windows and OSX and Linux to acquire RAM images. We'll also start a little bit on analysis using first off a very basic analysis that basically just does data recovery and string searching and then a more advanced analysis using the volatility tool. Thank you.