Forensics: What data can you find in RAM?
Ғылым және технология
To determine if you need to collect Random Access Memory on-scene, it is useful to know what kinda of investigation-relevant data is often available in RAM.
Random Access Memory forensics starts with acquiring RAM from a live (turned on) system. There are several ways to collect the contents of RAM from a computer. Almost all of them require Live Data Forensics, a type of forensic practice that deals with computers or devices powered on, and the data is changing.
Thank you to our Members and Patrons, but especially to TheRantingGeek, Roman, Alexis Brignoni, Lorie Hermesdorf, Steven Lorenz, Steffen Luithardt, pjs, Carlos E Gallo Monteiro, and OkiePioneerWoman! Thank you so much!
To do Live Data Forensics of any kind, you need to know how Random Access Memory works, how it changes, and how your actions on the target system will affect possible evidence in RAM (and on a hard drive).
00:00 What data is in RAM?
01:18 Programs and file access
02:15 Opened files and file locations
03:43 Typed input
04:40 Opened web pages
05:34 Web page contents
06:01 Decrypted content
06:33 Content no longer on disk
06:46 Content never on disk
08:30 Network traffic
bit.ly/2Ij9Ojc - 👍 Subscribe for weekly videos
❤️ Get early access and bonus content - bit.ly/DFIRSciMember
Links:
🚀 5% off FULL COURSE on RAM Acquisition and Analysis (learn.dfir.science/courses/RA...)
Related book:
* Practical Malware Analysis (amzn.to/3OqYeEk)
* Operating System Concepts (amzn.to/3J0AJ3T)
#forensics #infosec #ram
010001000100011001010011011000110110100101100101011011100110001101100101
Get more Digital Forensic Science
👍 Subscribe → bit.ly/2Ij9Ojc
❤️ YT Member → bit.ly/DFIRSciMember
❤️ Patreon → / dfirscience
🚀 Forensic Courses → learn.dfir.science
🕸️ Blog → DFIR.Science
🤖 Code → github.com/DFIRScience
🐦 Follow → / dfirscience
📰 DFIR Newsletter → bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing.
Пікірлер: 10
We have a whole course on RAM acquisition and analysis! Get 5% off FULL COURSE with this link learn.dfir.science/courses/RAM-Forensics-Tutorial?coupon=KZreadRAM5
I'm wondering can you do a memory/RAM snapshot of single file rather a full system memory snapshot?
Fantastic
So how to wipe RAM?
How do I contact you?
I want to sell my unused RAM in the second-hand market. It has been out for more than 6 months, but now I am worried that my private information can be used this way. Should I worry and not sell? What do you recommend? Thanks
@ralph17p
9 ай бұрын
It's not something to worry about. If someone puts the RAM in another computer and turns it on, the contents are overwritten in fairly short order, even if data was present somehow. Generally, to recover usable data from memory, either you dump it to an image while the machine is running, or you freeze it with a cooling spray and move it quickly to a hardware-based reader. After a few minutes you can still read approximately 99% of the data, but it degrades rapidly. After a day or so, I don't imagine there would be anything meaningful that could be pulled. On RAM that was in a computer that was shut down at ambient temperature, there's almost no chance of recovering anything. Correction - the RAM freezing exploit, which I did a bit more reading on, uses the target computer itself, rather than moving to a forensic imager such as might be used for disk media. After chilling the RAM to preserve the contents, a bootable media is used to load a lightweight forensic OS and dump the RAM contents to removable media.
Does the ram not get wiped after its been out of the pc for long
@DFIRScience
Жыл бұрын
Depending on the type of RAM, it can keep data for a short period of time after the computer has been shut off. Including if you remove the RAM from the system. Short time is less than 5-10 minutes. Note you will get some data loss as soon as power is off, which will get worse over time.
I see your website