What is Random Access Memory?
Ғылым және технология
Random Access Memory forensics starts with acquiring RAM from a live (turned on) system. There are several ways to collect the contents of RAM from a computer. Almost all of them require Live Data Forensics, a type of forensic practice that deals with computers or devices powered on, and the data is changing.
Thank you to our Members and Patrons, but especially to TheRantingGeek, Roman, Alexis Brignoni, Lorie Hermesdorf, Steven Lorenz, and OkiePioneerWoman! Thank you so much!
To do Live Data Forensics of any kind, you need to know how Random Access Memory works, how it changes, and how your actions on the target system will affect possible evidence in RAM (and on a hard drive).
00:00 Random Access Memory
01:08 Does RAM have a file system?
02:13 What is RAM used for?
02:51 What devices have RAM?
03:54 When is the data in RAM modified?
06:19 When should digital investigators collect RAM?
bit.ly/2Ij9Ojc - 👍 Subscribe for weekly videos
❤️ Get early access and bonus content - bit.ly/DFIRSciMember
Links:
🚀 5% off FULL COURSE on RAM Acquisition and Analysis (learn.dfir.science/courses/RA...)
Related book:
* Practical Malware Analysis (amzn.to/3OqYeEk)
* Operating System Concepts (amzn.to/3J0AJ3T)
#forensics #infosec #ram
010001000100011001010011011000110110100101100101011011100110001101100101
Get more Digital Forensic Science
👍 Subscribe → bit.ly/2Ij9Ojc
❤️ YT Member → bit.ly/DFIRSciMember
❤️ Patreon → / dfirscience
🚀 Forensic Courses → learn.dfir.science
🕸️ Blog → DFIR.Science
🤖 Code → github.com/DFIRScience
🐦 Follow → / dfirscience
📰 DFIR Newsletter → bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing.
Пікірлер: 13
We have a whole course on RAM acquisition and analysis! Get 5% off FULL COURSE with this link learn.dfir.science/courses/RAM-Forensics-Tutorial?coupon=KZreadRAM5
man I missed this kind of tutorials lol. Great work here, thanks!!!
@DFIRScience
Жыл бұрын
Thanks a lot! I'm working on a few more.
@niklasrabener7555
7 ай бұрын
😢😂😢😢😊😂😊1😂😂😢😢😢😂😮
Great video and thanks to dumping ram we can also bypass AES-256 XTS on warm and cold boot attacks ... Extract the FVEK from FS or RAM and mount the volume with BDE lib to mount the FS & Volatility to extract the key ...
@DFIRScience
Жыл бұрын
Yes, it can. The original plugin to dump FVEK can be found here: github.com/volatilityfoundation/community/tree/master/MarcinUlikowski There are a few others that have written something based on the original: github.com/breppo/Volatility-BitLocker If you get the key you can use dislocker or Arsenal Image Mounter. Good luck!
sry for the noob question.. its possible to collect RAM evidences for a Virtual Machine if, the Machine is a suspended/pause Mode?
@DFIRScience
Жыл бұрын
From "inside" the virtual machine, no. But if the virtual machine is suspended, then a copy of RAM has most likely been written to the host machine. You can also use the virtual machine manager to dump the memory of the virtual machine. If everything else failed, you can copy the RAM of the host machine that will contain the memory of the virtual machine, but that would be difficult to investigate.
@ciaobello1261
Жыл бұрын
@@DFIRScience Thank you for your replay
@Nonoss75
Жыл бұрын
If the software is Workstation, but I assume it is also true for other software, you can find a *.vmem and *.vmss files in the virtual machine folder. These are the RAM of your suspended machine and you need both to work with volatility for example.
@ciaobello1261
Жыл бұрын
@@Nonoss75 cool, thanks for the advice
hahahaha
@DFIRScience
Жыл бұрын
🤔