Memory Forensics
A How To Guide For
Responder Field Edition & Pro
Prepare For
Investigation
Search &
Analyze
Report
Findings
Forensic
Analysis
Preparation
Where To Start
Begin by creating a list of search terms that are relevant to your investigation.
Prioritize the terms based on importance. Create a list of things you know that are
involved in the investigation:
•
•
•
•
•
Names of people
Domain names
Project names
Filenames
Websites
•
•
•
•
•
Office applications
Encryption chat
Email addresses
Phone numbers
Credit card numbers
This text file can be used to automate locating items in memory:
Forensic
Analysis
Preparation (cont.)
Considerations
Try to find objects and artifacts that can tell you:
Who has logged into the computer?
When did things happen?
What processes are running?
What applications are installed?
What file types of files are found?
What are the capabilities of the installed programs?
Approach For Investigating A Particular Application
Conduct background research: e.g., Skype:
Google: “Skype”
What is it?
How is it used?
Why is the suspect using it?
Is there volatile data in memory that might not be
available by performing disk based forensics?
Are there recoverable passwords?
Forensic
Analysis
Begin Investigation
Case Creation
A case must be created for each memory image you need to investigate. Begin
by creating a new case as demonstrated below.
Import a previously acquired
memory image. Memory
images may be analyzed that
were acquired with third party
tools as well as HBGary’s Fast
Dump Pro (FDPro) tool. It is
recommended to import the
system swap file whenever
possible. This can only be done
when an acquisition has been
completed using FDPro with the
appropriate options.
Forensic
Analysis
Investigating Webmail
Web Browser Artifacts
Begin by searching the internet history contained in the memory image. Look for
URLs that are associated with webmail services such as yahoo, gmail, hushmail,
or less common services. The graphic below demonstrates the manual browsing
of URLs.
The following items
should be noted:
-Web sites visited
-Files downloaded
-Memory offsets
Identify network connections and externally routable IP addresses. Note the
process associated with the connection. Externally attainable intelligence can be
gathered on the IP address such as domain name resolution and registration
information.
Forensic
Analysis
Investigating Webmail
(cont.)
Searching Memory
The entire memory image can be searched for ASCII and Unicode formatted
strings. This can be done by double-clicking the memory image icon as
demonstrated below. Then use the binoculars icon to perform the search.
WebMail Search Terms
Search the memory image for strings commonly associated with email activity.
Example search
strings:
@gmail.com
@hotmail.com
@yahoo.com
@hushmail.com
Attachment
&passwd=
&login=
Forensic
Analysis
Investigating Skype
Skype Memory Artifacts
Verify Skype is running via the “Process” list:
(1) Inspect the “Open Files” list
(2) Sort by name
(3) Locate Skype
Identify the Windows username and the Skype username:
C:\Documents and Settings\username\Application Data\Skype\skype username.
Investigating Skype (cont.)
Forensic
Analysis
Locate Unencrypted Chat
Skype uses the # and $ sign to denote chat conversations. Search
for the Skype username with a # and or $ sign preceding the
name. Make sure to search for ASCII and Unicode strings.
Make sure to search
for ASCII and
Unicode text strings:
Example chat snippet:
Forensic
Analysis
Plugin Support
Background
Responder FE supports plugins which extend the product’s
capabilities. The plugins are written by HBGary engineers and
customers are free to download and use them.
First download the plugin of
interest to a location accessible by
Responder. Then select “Plugin”
from the main menu and then
“Compile and Load…”
After the plugin has been compiled
and loaded it will accessible via the
“Toolbox” menu. Select the plugin
by cliking on the link. Different
plugins will have next steps in order
to complete the analysis.
Forensic
Analysis
Plugin Support
Background
Responder FE supports plugins which extend the product’s
capabilities. The plugins are written by HBGary engineers and
customers are free to download and use them.
First download the plugin of
interest to a location accessible by
Responder. Then select “Plugin”
from the main menu and then
“Compile and Load…”
After the plugin has been compiled
and loaded it will accessible via the
“Toolbox” menu. Select the plugin
by clicking on the link. Different
plugins will have next steps in order
to complete the analysis.
Forensic
Analysis
Plugin Support (Cont.)
Image Extraction
The ImageExtractorPlugin.dll will attempt to carve image
fragments out of a memory snapshot. Depending on the size of
the memory image this can a significant amount of time. Once
completed the image fragments will be placed in your project
directory under a folder called “images” as in the graphic below.
Forensic
Analysis
Plugin Support (Cont.)
HTML Document Extraction
The HTMLExtractorPlugin.dll will attempt to carve image fragments
out of a memory snapshot. Depending on the size of the memory
image this can a significant amount of time. Once completed the
image fragments will be placed in a folder which Responder will
identify to the analyst.
Forensic
Analysis
Report Generation
Reporting Steps
Evidentiary data should be added to the report throughout the
investigation. This can be done by right-clicking on items and
selecting “Send to report”.
Items can also be added to the report by creating bookmarks
throughout the memory image. This is done by right-clicking at
the location of interest within the memory view as shown below.
Forensic
Analysis
Report Generation (Cont.)
Bookmarks can be edited within the “Report” tab. This can be
done by right-clicking on the report item and selecting “Edit
Bookmark.”
Final Report
The final report can be
generated after all relevant
items have been added to the
report. This is done by
selecting the “Toolbox” on
the left side of the GUI and
selecting “RTF Report.”