Computer Forensics
Written by Rich Cummings   

COMPUTER FORENSICS
Detecting, Analyzing, and Reporting On Evidentiary Artifacts
Found in Computer Physical Memory

FORENSIC INVESTIGATIONS seek to uncover evidence and then analyze it in order to gain a full understanding of a crime scene, the motives of the perpetrator, or the criminal’s identity. As computers and the Internet have become ubiquitous in our daily lives, the cyber realm increasingly contains potential evidence for all types of criminal investigations.

Traditional cyber forensics have focused on “dead-box” analysis, but there is an emerging methodology for “live-box” analysis—a technique that preserves and harvests vital evidence from a computer’s physical memory, also referred to as random-access memory (RAM) or volatile memory.

The importance
of computer forensics

Computer forensic investigation techniques are not only useful for solving cyber crimes such as computer hacking or child pornography, but they also have helped to solve other crimes like murder, terrorism, organized crime, tax evasion, drug smuggling, extortion, and robbery cases. In fact, computer forensics played a pivotal role in a number of high-profile cases such as the Laci Peterson murder and the BTK serial-murder cases.

Computers can store vast amounts of information: e-mail messages and e-mail addresses, contact lists, pictures, financials, research, videos, Internet history, and phone numbers—and all of these things can provide information about people’s habits and interests.

Computer forensic investigations are structured much like any traditional law-enforcement investigation. Highly trained individuals follow a specific computer forensic methodology that has standard operating procedures to efficiently gather potential evidentiary artifacts from the crime scene. This process must follow a forensically sound process—that is, it should be minimally invasive so that the collected “stuff” can be used as evidence in a court of law.

Why is computer forensics increasingly important? Computer crime is here to stay and is increasing rapidly. Cyber criminals are not just hackers looking for street credibility. Many of them are professionals motivated by financial gain and targeted espionage. The Federal Bureau of Investigation (FBI) estimates that cyber crime costs more than $100 billion per year.

The FBI has a cyber mission to stop those behind computer intrusions, to identify online sexual predators who exploit children, to counteract operations that target the United States’ intellectual property, and to dismantle organized criminal enterprises engaging in Internet fraud. Police departments all over the United States have units that are dedicated to investigating computer crimes. Businesses and governments have computer-incident response teams whose missions are to understand the computer-network intrusions and to minimize their damage while bolstering network defenses.

Fighting these new breeds of cyber criminals is often an uphill battle. Law enforcement and computer security professionals within businesses and governments are literally in an arms race against tech-savvy criminals who use advanced technologies to thwart or defeat computer forensic investigations. The bad guys infiltrate computers and install their own malicious code (which is referred to as malware) in order to log keystrokes and steal intellectual property. Their sophisticated methods use anti-detection, anti-forensics, in-memory malware, encrypted software, and other techniques to cover their digital tracks and defeat traditional security and dead-box forensics.


It is easy to preserve a copy of physical memory on a Windows computer system. In this screen capture, fdpro.exe was used to create a physical memory from a Windows XP SP3 machine.

Computer forensic investigations
should involve both
dead-box and live-box analysis

Conventional computer investigations collect, preserve, and analyze computer hard drives and media such as USB drives, floppy disks, zip drives, and optical media (CDs and DVDs). Since investigators typically “pull the plug” on the computer system prior to acquiring an exact copy of the hard drive, this particular methodology is referred to as dead-box forensics—a technique that analyzes the data at rest. The technique has not changed much over the last 15 years and is still widely used today.

In addition to data that is stored on disks and other external media, every running computer has a storehouse of data located in the computer’s main memory, or RAM. This consists of 1 to 4 gigabytes (or more) of information that is often overlooked. To put this into perspective, consider this: Discarding 4 gigabytes of RAM would be like throwing away 1 million pages of single-spaced printed text. There is also this point to consider: RAM contains data that is not found on the disk.

The technique known as live-box forensics gives investigators access to the entire running system, including the volatile information contained in the memory chips (RAM) and whatever is on the live hard drive. A computer’s volatile information—the data that is contained in the memory chips—is lost when you remove power from the system or shut down the computer.
The information found in memory includes user names and passwords, encryption keys, instant-messenger chat sessions, unencrypted data, open documents and e-mails, hidden code like rootkits, registry information, and other critical evidence. All of this data can help provide contextual information about the target subject’s activity on the computer.

Unfortunately, much of this information is calculated at runtime, exists only in memory, and will not be available to an analyst who is performing conventional dead-box forensics.

When investigating a murder case, the investigator will want access to the encrypted folders and files on the suspect’s hard drive. When working a financial-fraud case involving insider trading, it makes practical sense to get access to the suspect’s instant messages that are purposely not stored on the hard drive. For a terrorism case, the investigator will want to preserve the e-mail addresses and phone numbers stored in memory but not on the hard drive. Live-box analysis can provide all of these capabilities.

Live-box analysis has become a requirement for those who are investigating illicit activities on computers so that they can best determine motives, behaviors, and identity. While computer investigators often receive ongoing training to stay current with the latest computer forensic tools and best practices, most are not trained in live-box methodologies and technologies.


Investigators need to know if malicious code is running on a suspect’s machine. Physical memory analysis provides a new approach to detecting rootkits and malicious code. This capture shows HBGary Responder identifying a hidden kernel driver called msdirectx.sys. The process notepad.exe is hidden from the system.

Capturing and preserving
physical memory is the easy part

The first step in live-box forensics is to capture and preserve the physical memory or volatile data before turning off the computer. Given the latest technological advances, it is not difficult to use software to create an image of physical memory. There are a number of techniques an investigator can use to capture the entire contents of physical memory on a computer. Each has its own strengths and weaknesses, and each is best employed under specific circumstances. This is precisely where proper training becomes critical for the investigator.

Currently there are software utilities, hardware devices, and specific keyboard sequences within some operating systems that can be used to create a snapshot, or crash dump, of physical memory. For the sake of this article, we will focus on the software methods and techniques used to capture memory.

Today there are a number of free software utilities available to capture the entire contents of physical memory on Windows computer systems. Best practices dictate that investigators get the software and learn how to use it prior to beginning their first live-box computer investigation.

For a brief list of some of the software applications that are available for memory collection and preservation on Windows platforms, see the chart below which contains resources for investigators seeking software for memory collection and preservation.

The software listed in the chart is suitable for the live collection of physical memory—assuming that the investigator follows best practices for computer forensics and is trained in collecting volatile data.

Computer forensic investigators must adhere to and follow forensic best practices for any and all actions they take during the collection of potential evidence. For example, they should record all actions performed at the crime scene to include the user actions performed on the suspect’s computer system. Investigators also should make sure to log all actions and the time at which they were performed. This sort of basic information is important for chain-of-custody reasons and may be needed in litigation.

There are a number of organizations that provide training in the area of computer forensics. We have listed four of them in the chart below.


This screen capture shows how binary forensics can be used to identify behavioral capabilities of a specific piece of software. This is an excellent way to answer the who, what, when, where, why, and how of a specific application or piece of malware.

Analyzing physical memory
is the hard part

Even though tools exist to preserve memory, there are only a few software tools available today to help computer investigators analyze the preserved memory images. In the past, most of the memory-analysis work has been done in the academic, open-source communities and government labs. With time, however, these software tools have become increasingly user-friendly and we have seen widespread adoption of their use in additional markets such as finance and law enforcement.

In order to properly analyze and investigate the physical memory of a computer, the investigator needs to use specialized software that recreates the runtime state of the machine at the time the memory was imaged. The goal is to expose all the objects in memory, including all the running applications, system resources, attached devices, and open documents. There is existing soft-ware tools that can accomplish these complex tasks by parsing undocumented, esoteric data structures and reporting on their contents. This is no small feat. The specific Windows Memory structures often vary from one service pack to another and from one operating system to another. However, there is a treasure trove of information contained in these undocumented data structures that is now available to investigators.

The software applications available to investigators to help analyze the physical-memory snapshots include just one open-source solution of note: Volatility Framework. Recently a few commercial organizations have released software to analyze Windows physical-memory images for forensic computer investigations. All of these resources are listed in the chart below.

Conclusion

Live-box computer forensics should now play a role in each and every computer forensic investigation. The runtime information found in memory could be critical to many types of investigations. Dead-box and live-box forensics are complementary. When they are used together, the investigator will gain a more complete set of evidence for any cyber investigation.

Helpful Contacts for
Computer Forensic Investigations

Software for Memory Collection,
Preservation (Free)

Software for Memory Collection,
Preservation (Commercial)

Training

Software for
Physical-Memory Snapshots


About the Author

Rich Cummings is the chief technology officer for HBGary, Inc. He has been doing incident response investigations since the late 1990s when he worked as part of the 911 emergency response team at Network Associates. During his career, Rich has been involved in high-profile incident response investiga-tions at some of the largest companies in the world. Prior to joining HBGary, Cummings was with Guidance Soft-ware where he worked with the federal government and military in designing large-scale solutions for incident response, computer-network defense, and counterintelligence investigations. He can be reached at: This e-mail address is being protected from spam bots, you need JavaScript enabled to view it


ORIGINALLY PUBLISHED:
"Computer Forensics," written by Rich Cummings
November-December 2008 (Volume 6, Number 6)
Evidence Technology Magazine
Buy Back Issue

 
< Prev   Next >






Crime Scene Revisited

Faces of the victims recovered from the scene of a genocide.

Read more...