Wednesday, January 14, 2009

Forensics: Live memory analysis

I just saw a link to this video on the Volatility blog and I wanted to share it here. Normally I try not to retread stuff that was just said somewhere else, but I also really want to hype up this video. If you've been wondering why the forensic community is putting more focus on live system analysis and specifically memory analysis then you should definitely watch this video.
http://vimeo.com/2810702

In the video, the presenter touches on some of the stickier points of live system analysis...namely that some of the forensic hardliners disapprove. The main point of disapproval is that these tools will make changes to the system, and we try to avoid doing that. That is true and valid, but I've come to find that RAM contains artifacts so valuable that only a fool would throw it away.

Mike Murr, who taught a forensics class that I took a couple years ago talked about it briefly. I remember that he compared memory analysis to holding the shutter open on a camera. The resulting picture will be blurred in some places because things were changing while the film was being exposed. However, that doesn't mean that you can't get useful data from it. Image a court room, for example, where you've placed a camera in the back with the shutter open. When you develop the photo you're still going to be able to make out features of the room. You would know if there was an open window in the front for example. You probably couldn't make out the faces of the jurors, but you could probably tell if there weren't 12 of them. So while you don't get an exact copy, and you've made some changes to the system, it is still a worthwhile effort.

So for my bretheren in Higher Ed especially, please consider working memory analysis into your incident response plans. Even if you don't have the expertise to examine the image yourself, you can easily gather vital evidence that may be useful to law enforcement agencies if you ever need their help. Check out the video above, and then practice using tools like Win32DD to gather memory images.

No comments: