If this system is running, capture the memory. Should be the first task. Memory stomping issues. Benchmark testing to determine RAM footprint, speed, writes etc.
Benchmark the tools. DumpIt - lightweight, Magnet RAM, Belkasoft, FTK (slow, highest footprint), Redline, Fast Dump (fdpro.exe).
Media matters. SSD, USB vs Magnetic media evidence disk (HDD)? USB 3 is cool. Storage check at least 1/3 more then the collected. Magnetic cheap, 2-4 Gb.
VM vs physical. Different concerns.
Validate Tools
Document the changes that you are making. Know your tools π ! What changes they are making (see)?
π§° Validate your tools. Tools used need to be periodically validated before each analysis. For example, check that your wiping software has thoroughly WIPED the drive you will be using for the evidence collection (for example, by running a checksum64 against it).
Choose the appropriate one. Below are some questions to ask to decide.
Example 1. Logging in remotely to collect artefacts and run preinstalled UI admin tools:
| Question | Answer |
|---|---|
| Easy to collect artefacts? | Hard π§±: Many non-DFIR tools |
| Easy to connect remotely? | Easy πΈ: if the remote connection is allowed |
| Identify relevant data. | Hard π§±: not DFIR specific |
| Pivoting | Hard π―-π§±: Depends |
| Scaling | Hard π§±: one at a time |
Example 2. Logging in remotely to collect artefacts with cmd tools:
| Question | Answer |
|---|---|
| Easy to collect artefacts? | Medium π―. Many tools, but they can be scripted. Generally free. |
| Easy to connect remotely? | Hard π§±: have to copy tools to the system. |
| Identify relevant data. | Hard π§±: not DFIR specific |
| Pivoting | Hard π§±: Many output files |
| Scaling | Hard π§±: one at a time |
Example 3. Continuous monitoring:
| Question | Answer |
|---|---|
| Easy to collect artefacts? | Easy πΈ: for artefacts being monitored. Hard π§±: for others. |
| Easy to connect remotely? | Easy πΈ: if configured. |
| Identify relevant data. | Medium π―: depends on the tools. |
| Pivoting | Medium π―: depends on the tools. |
| Scaling | Easy πΈ: if monitoring is enabled |
Example 4. Full image:
| Question | Answer |
|---|---|
| Easy to collect artefacts? | Hard π§±to get the full image, and also there is a need to parse it. But reliable. |
| Easy to connect remotely? | Medium π―: depends |
| Identify relevant data. | Medium π―: depends on the parser tool. |
| Pivoting | Medium π―: depends on the parser tool. |
| Scaling | Medium π―: depends on acquisition tools. |
| , they | |
| Example 5. Cyber Triage: |
| Question | Answer |
|---|---|
| Easy to collect artefacts? | Easy πΈ: one exe for local or remote. |
| Easy to connect remotely? | Easy πΈ: easy to send over network. |
| Identify relevant data. | Medium π―: scores data. |
| Pivoting | Easy πΈ: navigation via UI. |
| Scaling | Multiple |
Collection
Powershell is the best tool to automate and scale evidence collection across the enterprise.
Kansa
Not only for collection but also for analysis (stacking). It can be scaled. Suitable for acquisition across enterprises.
PowerShell (CSIRT-Collect.ps1)
Two directories: one with Winpmem and 7zip, another with Kape, copied from local install. Makes a RAM image, zips it and sends it to the network share. Cleans up the host under investigation after that. A handy thing: it’ll capture the OS build needed for vol2.py for profiling.
Then, it launches KAPE, which performs triage.
KAPE (Kroll Artifact Parser & Extractor)
It seems to be very close to what the Kansa framework does. What’s the difference? Kansa for live response and hunt; KAPE for forensics. Also, it seems that Kansa is dying. Better explained here by sprint_ska; thanks, man. Also, Kansa relies on Windows built-in tools, while Kape doesn’t. Kansa scales better.
kape --tsource C: --target RegistryHives --tdest "\results"
kape --tsource H --target !ALL --tdest "dir" --debug
kape --msource βdirβ --module LECmd --mdest "dir" --trace --debug
Winpmem
7zip
Arsenal Image Mounter
Magnet Axiom
π΄ Don’t forget it’s a paid tool. Nevertheless, it’s straightforward to use. Works for macOS as well.
Cyber Triage
Live, remote or image. Steps:
- Collect artefacts
- Score
- Review
- Deep Dive (optional)
- Report
We need to analyse user activity, find malware indicators and check whether configs were changed.
Awesome Incident Response
https://github.com/meirwah/awesome-incident-response
Hashing
Native Hashing Tools
Windows. certutil -file [filename] -hash [md5, sha1, sha256 etc.].
macOS. md5, shasum.
Linux. md5sum, sha256sum etc.
Disk Imaging
ftkimager
πΎ Footprint
Write Blockers
NIST about software write blocker:Β https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt/cftt-technical/software. Benchmark of different soft and hardware blockers:Β https://habr.com/ru/company/bizone/blog/320032/. https://youtu.be/r6-tsPUUhCU (video, Encase Image Extraction using Physical Write Blocker)
RAM Acquisition
There are both software and hardware-based tools.
ftkimager
πΎ Footprint
The GUI version leaves a heavy footprint.
FTK Imager
βοΈ User mode
β οΈ Does not guarantee that the utility will not make write attempts to the target drive. Looks like it does write to the device -> use a write-protect device such as the Wiebetech Forensic Ultra Dock between the source and the target disks.
πΎ Footprint
Dumpit
βοΈ Kernel mode βοΈ For Win7,8 and lower only. Tested on Win7. It causes a crash on Win10. It doesn’t work on Parallels VM (M1 MacBook)
πΎ Footprint
π Small footprint
Clutch
βοΈ For iOS only
πΎ Footprint
Frida
βοΈ Mobile jailbroken/rooted devices
Frida-ios-dump script is used to dump RAM for a process (only one process into which Frida was injected).
πΎ Footprint
Magnet RAM Capture
Kernel mode
πΎ Footprint
Belkasoft Live RAM Capture
βοΈ Kernel mode βοΈ It uses a device driver to bypass user-space limitations; however, it has more impact on the operating system because of this. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 164). BCS Learning & Development Limited. Kindle Edition.
πΎ Footprint
WinDD
βοΈ Windows only (what a surprise, right? π)
It can be used over the network or USB.
πΎ Footprint
π Footprint is ~ 1MB (2013)
dd
DD utility allows a raw dump of memory. noerror* - important not to stop the acquisition on errors.
… user-space-sourced copy of memory, so some protected memory regions will not be included in the image. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 165). BCS Learning & Development Limited. Kindle Edition.
π BTFM
# HDD/SSD
sudo dd if=/dev/sdb of=/case1/diskb.dd
#RAM
# Windows
dd if= \.\\PhysicalMemory of=F:\Evidence\memory.dd conv=noerror
# UNIX
dd if= /dev/mem of=memory.dd conv=noerror
# or
dd if= /dev/kmem of=memory.dd conv=noerror
πΎ Footprint
Goldfish
β οΈ Works up to macOS 10.5 (32bit)
πΎ Footprint
OSXpmem
It’s part of rekall.
…from both user and kernel space via a bundled driver. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 164). BCS Learning & Development Limited. Kindle Edition.
βπ» SIP needs to be disabled (reboot > CMD+R > Terminal > csrutil disbale > reboot). Otherwise, might run into this issue: dump_memory(833): Failed to load kext (No such process)
βπ» USB > Get Info > unlock π > Ignore ownership on this volume (check). Otherwise, you might run into this issue: Can’t load kext ./pmem.kext, as it is not owned by
root:wheel. Just chowning didn’t work for me. When I unchecked it, replugged the USB, and decompressed the archive, I managed to get the dump without this error. βοΈ Restart the Terminal for changes to take place!
πΎ Footprint
β οΈ See comments. Due to these prerequisites, the footprint might be significant.
Redline
βπ» Create a collector first (a folder with a batch or shell script). Put on the USB drive and run on a target machine from there. A great tool to visualise the main things of RAM and quickly identify suspicious activity. The only one that works on a Parallels VM (M1 MacBook Pro). However, I did not encounter errors and could not analyse anything properly.
πΎ Footprint
Fmem
A Linux kernel module, Fmem creates a new virtual device on a machine called β/dev/fmemβ. The investigator or first responder can then use dd against this virtual device without running into the same restrictions would be present trying to directly obtain physical memory through β/dev/memβ. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 165). BCS Learning & Development Limited. Kindle Edition.
Linux Memory Grabber
This tool is a script that attempts to automate a number of the steps that must be taken to acquire memory from a Linux system. The tool is designed to be run from a USB stick, and automates the installation of kernel modules and creates a profile for the open-source Volatility Framework, a memory forensics suite. Once the USB drive is mounted a single command can be issued to do all the work, making it suitable for folks who might not be as proficient in Linux. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 165). BCS Learning & Development Limited. Kindle Edition.
Tribble
βοΈ Only works if it was in the PC before the incident. βοΈ Hardware memory acquisition tool.
Includes a write blocker.
Memory Grabber Forensic Tool
PCMCIA card. When plugged into the suspect’s computer, the card provides an interface to a controlled system running forensics software that can be used to analyse the image.