Wednesday, January 22, 2014

Welcome to Virtual RAM Disk Forensics!

Introduction

Hello and welcome readers! Hopefully you've found this blog because you're interested in learning more about Digital Forensics – specifically, forensics of volatile memory, or RAM.

 
As my senior research project at Champlain College, I've been tasked with conducting original research on a forensic topic of my choice. One such topic that has sparked my interest over the past four years at Champlain has been the forensics of Random Access Memory because, unlike data stored on hard drives or servers, information stored in RAM is “volatile”; that is, upon losing power to the machine, everything is lost.

Due to the evasive nature of RAM, it understandably can be seen as an attractive way to store information for people with malicious intents.Typically, however, RAM is only accessed by applications in the background, meaning an average computer user could never even know it was there. There are programs available, however, that provide users with direct read/write access to their RAM, in the form of virtual mounted disks. These disks can be used just like any other hard drive on a machine, but have the advantage of being many times faster than traditional mechanical hard drives.

Project Plans

In order to narrow down the scope of my project, I will be using one specific application to mount the virtual RAM disks that I will be analyzing. The program I chose to use is StarWind RAM Disk, developed by StarWind Software.


Tool Usage

Usage of this tool is simple. The GUI provided with the application makes it easy to quickly mount and dismount disks. From the initial screen, users simply have to click 'Add Device' and choose the desired size of the disk. Other options are available as well, such as an automount option that will mount a disk of that size upon every system reboot, and a logging option that will log the activity of the tool in a text file.

Mounting a RAM Disk
Mounting a RAM Disk
 
After choosing the size of the device and clicking 'next', the device is mounted, and shows up in Windows Explorer just like any regular disk.

Mounted Disk in Windows
Mounted Disk in Windows


Forensics

There are many different avenues that I can take in forensically examining RAM disks, and I hope to hit as many as I possibly can. As of now, my plans are to use memory analysis tools like DumpIt and Volatility in order to see what forensic artifacts I can recover from memory images that contained a mounted drive. Here are a couple scenarios I am going to look into and some questions that go along with each:
  •  Analyzing a RAM image with a device still mounted
    • Is there evidence of a device currently being mounted?
    • Can any data be recovered from the mounted device? 
  • Analyzing a RAM image with a device that has been unmounted
    • Is there evidence that a device had previously been mounted?
    • Is there evidence that a device had been unmounted?
    • Can any data be recovered even though the device was unmounted?
  • Analyzing a RAM image with a mounted device containing an encrypted container
    • Is there evidence of the mounted device?
    • Is there evidence that the mounted disk contains an encrypted container?
    • Can any data be recovered from the encrypted container?
In addition to these scenarios, I will also be using other Windows tools to document the behavior of the StarWind RAM disk utility. I'm particularly interested in examining what registry keys are created or edited based on certain actions taken:
  • What keys/values are changed when logging is enabled?
  • What keys/values are changed when automounting is enabled?
  • Is there evidence of previously mounted devices in the registry?
Sysinternals Process Monitor will help me in determining how this tool edits the registry based on the actions of the user.

Ultimately, in order to incorporate the Computer Science aspect of my major, I would like to write a series of scripts to parse through the many potential locations of forensic artifacts in order to present them quickly and neatly to any forensic investigator.

I plan to post about my research as often as possible so I hope you all will join me and continue to check in on my progress. Thanks for reading!