Digital Forensics

Live Cyber Forensics Analysis with Computer Volatile Memory

Forensics_analysis

Live Cyber Forensics Analysis with Computer Volatile Memory

Forensics analysis GBHackers

The field of computer Forensics Analysis involves identifying, extracting, documenting, and preserving information that is stored or transmitted in an electronic or magnetic form (that is, digital evidence).

orensics Analysis – Volatile Data:

  • The data that is held in temporary storage in the system’s memory (including random access memory, cache memory, and the onboard memory of system peripherals such as the video card or NIC) is called volatile data because the memory is dependent on electric power to hold its contents.
  • When the system is powered off or if power is disrupted, the data disappears.

How to Collect Volatile Data:

  • There are lots of tools to collect volatile memory for live forensics or incident response.In this, we are going to use Belkasoft live ram Capture Tool.
  • After the capture of live data of RANDOM ACCESS MEMORY, we will analyze with Belkasoft Evidence Center Ultimate Tool.

Acquisition of live Volatile Memory:

Run the tool as an administrator and start the capture.

ram captutre

Dump File Format:

After the successful capture of live Ram memory. The file is will be saved in .mem extension.

ram2 1

Evidence File Analyser:

Belkasoft Evidence Center Ultimate Tool to analyze volatile memory.

evidence1

As a forensic examiner or Incident Responder should record everything about physical device appearance, Case number, Model Number of Laptop or Desktop etc.

eve2

Click the Ram Image and enter the path of the .mem file which is live ram dump file.

Also Read Indicator Of Attack(IoA’s) And Activities – SOC/SIEM – A Detailed Explanation

Malicious Activites on the Public website

sql eve

In this above picture, the attacker is trying for SQL Injection on Public Website.

Anonymous Vpn

eve9

In this above figure attacker installed and executed Cyberghost Vpn for hiding the source ip address.

Mail Inbox

eve6

The attacker has logged on with some public mail servers, now forensic examiner able to read inbox emails.

Recent File Accessed

eve3

Attackers last accessed file directory paths. Forensics examiner will have priority to investigate this path for suspicious files.

Pictures

eve7

Recent Pictures downloaded from websites which will be stored in the cache memory.

There are many relatively new tools available that have been developed in order to
recover and dissect the information that can be gleaned from volatile memory.

This is a relatively new and fast-growing field many forensic analysts do not know or take the advantage of these assets.

Volatile memory may contain many pieces of information relevant to a forensic investigation, such as passwords, cryptographic keys, and other data.

article source

You can follow us on InstagramLinkedinTwitter & Reddit for daily Cybersecurity, Hacking news, and Hacking Tips & tricks updates

Take the DEMO FIRST then ENROLL

Your Information and data is 100% secure and private