Catching the ghost: how to discover ephemeral evidence with Live RAM analysis
Many types of evidence are only available in computer’s volatile memory. However, until very recently, this additional evidence was often discarded. Approaching running computers with a “pull-the-plug” attitude used to be a standard practice, without recognizing the amount of evidence lost with the content of the computer’s volatile memory. Certain information just never ends up on the hard drive, while some other information may be stored securely on an encrypted volume with all the decryption keys conveniently available in the computer's volatile memory.
By simply pulling the plug, forensic specialists will slam the door to the very possibility of recovering these and many other types of evidence. Read about how to capture and analyze volatile data, learn how to make a RAM dump and perform a comprehensive analysis of the memory dump.
Belkador Dali. “Losing volatile Evidence”.
All rights reserved.
Published in DFI Magazine, May 2013
Contents
- Ephemeral Evidence
- The Role of Live RAM Analysis in Today’s Digital Forensics
- Types of Evidence Available in Volatile Memory
- Limitations of Volatile Memory Analysis
- Collecting Volatile Data that Can Withstand Legal Scrutiny
- Acquisition Footprint
- Live Box vs. Offline Analysis
- Standard Procedure
- Tools and Techniques for Capturing Memory Dumps
- Consequences of Choosing the Wrong Tool
- The FireWire Attack
- The “Freezer Attack” on Scrambled Smartphones
- Tools for Analyzing Memory Dumps
- About the Authors
- Contacting the Authors
- About Belkasoft Research
- About Belkasoft
- References
Ephemeral Evidence
Until very recently, it was a standard practice for European law enforcement agencies to approach running computers with a “pull-the-plug” attitude without recognizing the amount of evidence lost with the content of the computer’s volatile memory. While certain information never ends up on the hard drive, such as ongoing communications in social networks, data on running processes or open network connections, some other information may be stored securely on an encrypted volume. By simply pulling the plug, forensic specialists will slam the door to the very possibility of recovering these and many other types of evidence.
The Role of Live RAM Analysis in Today’s Digital Forensics
Capturing and analyzing volatile data is essential for discovering important evidence. Making a RAM dump should become a standard operating procedure when acquiring digital evidence before pulling the plug and taking the hard drive out.