Introduction
Hello and welcome readers! Hopefully
you've found this blog because you're interested in learning more
about Digital Forensics – specifically, forensics of volatile
memory, or RAM.
As my senior research project at
Champlain College, I've been tasked with conducting
original research on a forensic topic of my choice. One such topic
that has sparked my interest over the past four years at Champlain
has been the forensics of Random Access Memory because, unlike data
stored on hard drives or servers, information stored in RAM is
“volatile”; that is, upon losing power to the machine, everything
is lost.
Due to the evasive nature of RAM, it
understandably can be seen as an attractive way to store information
for people with malicious intents.Typically, however, RAM is only
accessed by applications in the background, meaning an average
computer user could never even know it was there. There are programs
available, however, that provide users with direct read/write access
to their RAM, in the form of virtual mounted disks. These disks can be used
just like any other hard drive on a machine, but have the advantage
of being many times faster than traditional mechanical hard drives.
Project Plans
In order to narrow down the scope of my
project, I will be using one specific application to mount
the virtual RAM disks that I will be analyzing. The program I chose
to use is StarWind RAM Disk, developed by StarWind Software.
Tool Usage
Usage of this tool is
simple. The GUI provided with the application makes it easy to
quickly mount and dismount disks. From the initial screen, users
simply have to click 'Add Device' and choose the desired size of the
disk. Other options are available as well, such as an automount
option that will mount a disk of that size upon every system reboot, and a logging option that will log the activity of the tool in a text file.
Mounting a RAM Disk |
After choosing the size of the device
and clicking 'next', the device is mounted, and shows up in Windows
Explorer just like any regular disk.
Mounted Disk in Windows |
Forensics
There are many different avenues that I
can take in forensically examining RAM disks, and I hope to hit as
many as I possibly can. As of now, my plans are to use memory
analysis tools like DumpIt and Volatility in order to see
what forensic artifacts I can recover from memory images that contained a
mounted drive. Here are a couple scenarios I am going to look into
and some questions that go along with each:
- Analyzing a RAM image with a device still mounted
- Is there evidence of a device currently being mounted?
- Can any data be recovered from the mounted device?
- Analyzing a RAM image with a device that has been unmounted
- Is there evidence that a device had previously been mounted?
- Is there evidence that a device had been unmounted?
- Can any data be recovered even though the device was unmounted?
- Analyzing a RAM image with a mounted device containing an encrypted container
- Is there evidence of the mounted device?
- Is there evidence that the mounted disk contains an encrypted container?
- Can any data be recovered from the encrypted container?
- What keys/values are changed when logging is enabled?
- What keys/values are changed when automounting is enabled?
- Is there evidence of previously mounted devices in the registry?
Ultimately, in order to incorporate the Computer Science aspect of my major, I would like to write a series of scripts to parse through the many potential locations of forensic artifacts in order to present them quickly and neatly to any forensic investigator.
I plan to post about my research as often as possible so I hope you all will join me and continue to check in on my progress. Thanks for reading!
No comments:
Post a Comment