If this system is running, capture the memory. Should be the first task. Memory stomping issues. Benchmark testing to determine RAM footprint, speed, writes etc.
Benchmark the tools. DumpIt - lightweight, Magnet RAM, Belkasoft, FTK (slow, highest footprint), Redline, Fast Dump (fdpro.exe).
Media matters. SSD, USB vs Magnetic media evidence disk (HDD)? USB 3 is cool. Storage check at least 1/3 more then the collected. Magnetic cheap, 2-4 Gb.
VM vs physical. Different concerns.
Document the changes that you are making. Know your tools 🛠! What changes they are making (see)?
🧰 Validate your tools. Tools used need to be periodically validated before each analysis. For example, check that your wiping software has thoroughly WIPED the drive you will be using for the evidence collection (for example, by running a checksum64 against it).
Choose the appropriate one. Below are some questions to ask to decide.
Example 1. Logging in remotely to collect artefacts and run preinstalled UI admin tools:
|Easy to collect artefacts?||Hard 🧱: Many non-DFIR tools|
|Easy to connect remotely?||Easy 💸: if the remote connection is allowed|
|Identify relevant data.||Hard 🧱: not DFIR specific|
|Pivoting||Hard 🍯-🧱: Depends|
|Scaling||Hard 🧱: one at a time|
Example 2. Logging in remotely to collect artefacts with cmd tools:
|Easy to collect artefacts?||Medium 🍯. Many tools, but they can be scripted. Generally free.|
|Easy to connect remotely?||Hard 🧱: have to copy tools to the system.|
|Identify relevant data.||Hard 🧱: not DFIR specific|
|Pivoting||Hard 🧱: Many output files|
|Scaling||Hard 🧱: one at a time|
Example 3. Continuous monitoring:
|Easy to collect artefacts?||Easy 💸: for artefacts being monitored. Hard 🧱: for others.|
|Easy to connect remotely?||Easy 💸: if configured.|
|Identify relevant data.||Medium 🍯: depends on the tools.|
|Pivoting||Medium 🍯: depends on the tools.|
|Scaling||Easy 💸: if monitoring is enabled|
Example 4. Full image:
|Easy to collect artefacts?||Hard 🧱to get the full image, and also there is a need to parse it. But reliable.|
|Easy to connect remotely?||Medium 🍯: depends|
|Identify relevant data.||Medium 🍯: depends on the parser tool.|
|Pivoting||Medium 🍯: depends on the parser tool.|
|Scaling||Medium 🍯: depends on acquisition tools.|
|Example 5. Cyber Triage:|
|Easy to collect artefacts?||Easy 💸: one exe for local or remote.|
|Easy to connect remotely?||Easy 💸: easy to send over network.|
|Identify relevant data.||Medium 🍯: scores data.|
|Pivoting||Easy 💸: navigation via UI.|
Powershell is the best tool to automate and scale evidence collection across the enterprise.
Not only for collection but also for analysis (stacking). It can be scaled. Suitable for acquisition across enterprises.
Two directories: one with Winpmem and 7zip, another with Kape, copied from local install. Makes a RAM image, zips it and sends it to the network share. Cleans up the host under investigation after that. A handy thing: it’ll capture the OS build needed for
vol2.py for profiling.
Then, it launches KAPE, which performs triage.
KAPE (Kroll Artifact Parser & Extractor)
It seems to be very close to what the Kansa framework does. What’s the difference? Kansa for live response and hunt; KAPE for forensics. Also, it seems that Kansa is dying. Better explained here by sprint_ska; thanks, man. Also, Kansa relies on Windows built-in tools, while Kape doesn’t. Kansa scales better.
kape --tsource C: --target RegistryHives --tdest "\results" kape --tsource H --target !ALL --tdest "dir" --debug kape --msource “dir” --module LECmd --mdest "dir" --trace --debug
Arsenal Image Mounter
💴 Don’t forget it’s a paid tool. Nevertheless, it’s straightforward to use. Works for macOS as well.
Live, remote or image. Steps:
- Collect artefacts
- Deep Dive (optional)
We need to analyse user activity, find malware indicators and check whether configs were changed.
Awesome Incident Response
Native Hashing Tools
Windows. certutil -file [filename] -hash [md5, sha1, sha256 etc.].
NIST about software write blocker: https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt/cftt-technical/software. Benchmark of different soft and hardware blockers: https://habr.com/ru/company/bizone/blog/320032/. https://youtu.be/r6-tsPUUhCU (video, Encase Image Extraction using Physical Write Blocker)
There are both software and hardware-based tools.
The GUI version leaves a heavy footprint.
⛔️ User mode
⚠️ Does not guarantee that the utility will not make write attempts to the target drive. Looks like it does write to the device -> use a write-protect device such as the Wiebetech Forensic Ultra Dock between the source and the target disks.
⛔️ Kernel mode ⛔️ For Win7,8 and lower only. Tested on Win7. It causes a crash on Win10. It doesn’t work on Parallels VM (M1 MacBook)
👍 Small footprint
⛔️ For iOS only
⛔️ Mobile jailbroken/rooted devices
Frida-ios-dump script is used to dump RAM for a process (only one process into which Frida was injected).
Magnet RAM Capture
Belkasoft Live RAM Capture
⛔️ Kernel mode ⛔️ It uses a device driver to bypass user-space limitations; however, it has more impact on the operating system because of this. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 164). BCS Learning & Development Limited. Kindle Edition.
⛔️ Windows only (what a surprise, right? 😂)
It can be used over the network or USB.
👍 Footprint is ~ 1MB (2013)
DD utility allows a raw dump of memory. noerror* - important not to stop the acquisition on errors.
… user-space-sourced copy of memory, so some protected memory regions will not be included in the image. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 165). BCS Learning & Development Limited. Kindle Edition.
# HDD/SSD sudo dd if=/dev/sdb of=/case1/diskb.dd #RAM # Windows dd if= \.\\PhysicalMemory of=F:\Evidence\memory.dd conv=noerror # UNIX dd if= /dev/mem of=memory.dd conv=noerror # or dd if= /dev/kmem of=memory.dd conv=noerror
⚠️ Works up to macOS 10.5 (32bit)
It’s part of
…from both user and kernel space via a bundled driver. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 164). BCS Learning & Development Limited. Kindle Edition.
✍🏻 SIP needs to be disabled (reboot > CMD+R > Terminal > csrutil disbale > reboot). Otherwise, might run into this issue: dump_memory(833): Failed to load kext (No such process)
✍🏻 USB > Get Info > unlock 🔒 > Ignore ownership on this volume (check). Otherwise, you might run into this issue: Can’t load kext ./pmem.kext, as it is not owned by
root:wheel. Just chowning didn’t work for me. When I unchecked it, replugged the USB, and decompressed the archive, I managed to get the dump without this error. ❗️ Restart the Terminal for changes to take place!
⚠️ See comments. Due to these prerequisites, the footprint might be significant.
✍🏻 Create a collector first (a folder with a batch or shell script). Put on the USB drive and run on a target machine from there. A great tool to visualise the main things of RAM and quickly identify suspicious activity. The only one that works on a Parallels VM (M1 MacBook Pro). However, I did not encounter errors and could not analyse anything properly.
A Linux kernel module, Fmem creates a new virtual device on a machine called ‘/dev/fmem’. The investigator or first responder can then use dd against this virtual device without running into the same restrictions would be present trying to directly obtain physical memory through ‘/dev/mem’. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 165). BCS Learning & Development Limited. Kindle Edition.
Linux Memory Grabber
This tool is a script that attempts to automate a number of the steps that must be taken to acquire memory from a Linux system. The tool is designed to be run from a USB stick, and automates the installation of kernel modules and creates a profile for the open-source Volatility Framework, a memory forensics suite. Once the USB drive is mounted a single command can be issued to do all the work, making it suitable for folks who might not be as proficient in Linux. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 165). BCS Learning & Development Limited. Kindle Edition.
⛔️ Only works if it was in the PC before the incident. ⛔️ Hardware memory acquisition tool.
Includes a write blocker.
Memory Grabber Forensic Tool
PCMCIA card. When plugged into the suspect’s computer, the card provides an interface to a controlled system running forensics software that can be used to analyse the image.