Looking for a littl...
 
Notifications
Clear all

Looking for a little help.

12 Posts
7 Users
0 Likes
599 Views
(@artee)
Posts: 13
Active Member
Topic starter
 

Morning all,

I have recently been given an assignment on forensic implications of acquiring and analysing RAM (From windows based machines). We have been given a list of free tools that can be used for this purpose and we are to pick three to evaluate. We haven't actually done anything like this practically so was wondering if anyone could point me to some free software that i can run in a VM that will show me the impact of each piece of software has on the RAM. We have been told that we do not need to do too much hands on as a lot of the information we will be after is already out there, but i would like to have a play with the software so i know what i am writing about a little better.

Thanks in advance,

Artee )

 
Posted : 16/11/2015 3:45 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

This is a start to show the memory footprint a program may have
http//www.zdnet.com/article/windows-7-memory-usage-whats-the-best-way-to-measure/

Sysinternals (Aquired by Microsoft)
https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx

Process Monitor from Sysinternals may be what you are looking for
https://technet.microsoft.com/en-us/sysinternals/processmonitor

I have used Filemon and Regmon quite a bit to tell me what a program is doing.

In general, there should be little problem with memory contamination when firing up a new process (like a memory dumper/scraper) with a concurrent suspect one. The problem comes when the suspicious process may detect that something is happening and may terminate the dumper/scraper, terminate itself, crash or even trash the system to make investigations harder.

There are tools that can prevent this by freezing processes in place (like Resource Monitor which can freeze one at a time, accessible from Task Manager) - that is, if you know what you are looking for. So, this is an aspect you could look for too - how Stealthy is the memory aquisition.

And as always, feel free to share your findings in this forum.

 
Posted : 17/11/2015 5:16 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Also remember that the memory for a virtual machine can be frozen using the "suspend" method.
Therefore you could take a snapshot of the memory before running a tool to see how much data is changed in ram after the acquisition.

 
Posted : 17/11/2015 2:19 pm
(@artee)
Posts: 13
Active Member
Topic starter
 

Thanks for your replies.

I have been looking at process explorer as this seems to show me the amount of memory that is being used by each application (Private Bytes and working set). Am i right in assuming this and are they two separate amounts that would need to be added together to see their footprint or is one taken from the other?

All i need to know is the impact of each tool i choose to use.

Sorry if the questions are basic but we haven't done any work on this and have just been handed the assignment.

 
Posted : 23/11/2015 4:28 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I have recently been given an assignment on forensic implications of acquiring and analysing RAM (From windows based machines).

Given the assignment, I'm unclear as why you'd need free tools and what you'd need them for.

We have been given a list of free tools that can be used for this purpose and we are to pick three to evaluate. We haven't actually done anything like this practically so was wondering if anyone could point me to some free software that i can run in a VM that will show me the impact of each piece of software has on the RAM. We have been told that we do not need to do too much hands on as a lot of the information we will be after is already out there, but i would like to have a play with the software so i know what i am writing about a little better.

So what, exactly, is meant by "an assignment on forensic implications of acquiring and analyzing RAM"?

Acquiring
The forensic implication of acquiring data is that if you're not doing it, then it's likely that your final analysis includes a lot of guessing, whether you want to admit it or not.

If your assignment is to assess the impact that acquisition tools have on a system when you're acquiring RAM, I'd strongly suggest that monitoring the acquisition process isn't necessarily the way to go about it. After all, you're running into the Heisenberg Uncertainty Principle…the act of observing or measuring something has an impact on what you're observing.

What I would suggest is that it may be a more viable option to attempt to determine what the various acquisition tools are actually acquiring.

Analyzing
You get access to stuff you wouldn't see or have access to otherwise…running processes, etc. I've conducted a number of examinations where hibernation files have been literal treasure troves of invaluable data.

 
Posted : 23/11/2015 7:46 pm
(@artee)
Posts: 13
Active Member
Topic starter
 

We have been given six tools to choose from including Dumpit, memoryze Encase imager. We need to investigate them and decide on three to focus on.
We are then to be looking at the impact or running these tools on a live memory. How much memory do they use, so how much data could you theoretically lose.
On top of hunting for information on comparisons on the various pieces of software, I was looking for tools that would show what impact/footprint the three different pieces of software produced. I have looked at various papers and sited but they re obviously a lot more advanced than what I am looking for.

 
Posted : 23/11/2015 9:30 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

We have been given six tools to choose from including Dumpit, memoryze Encase imager. We need to investigate them and decide on three to focus on.
We are then to be looking at the impact or running these tools on a live memory. How much memory do they use, so how much data could you theoretically lose.

Honestly, I cannot fathom the purpose of this exercise.

 
Posted : 23/11/2015 10:30 pm
(@athulin)
Posts: 1156
Noble Member
 

We are then to be looking at the impact or running these tools on a live memory. How much memory do they use, so how much data could you theoretically lose.

A real investigation requires some pretty deep knowledge of virtual memory management in modern operating systems. I'm assuming you don't have that – if you did, you wouldn't have to ask.

On normal platforms you have standard tools already Task Manager in Windows, top or ps in Unix, and so on. (Or you can add specialized tools like 'Process Explorer'). These can provide you with various kinds of process size information, and possibly even statistics collected over a period of time.

I suggest you figure out what each of the available tools measure, decide if any of that is what you are looking for, and then go from there. And check in with your tutor at some point just to make sure you're not doing things in a more difficult way than intended.

At some point you probably may need to ponder what impact these measurement tools have on the system …

 
Posted : 24/11/2015 12:58 am
(@artee)
Posts: 13
Active Member
Topic starter
 

A real investigation requires some pretty deep knowledge of virtual memory management in modern operating systems. I'm assuming you don't have that – if you did, you wouldn't have to ask.

On normal platforms you have standard tools already Task Manager in Windows, top or ps in Unix, and so on. (Or you can add specialized tools like 'Process Explorer'). These can provide you with various kinds of process size information, and possibly even statistics collected over a period of time.

I suggest you figure out what each of the available tools measure, decide if any of that is what you are looking for, and then go from there. And check in with your tutor at some point just to make sure you're not doing things in a more difficult way than intended.

At some point you probably may need to ponder what impact these measurement tools have on the system …

Thanks for your reply.

Yeah the assignment is more of a literacy review of previous works but have been told to use the tools to get a feel for them and to provide some screens etc.

To monitor the RAM impact of each piece of software i have looked at Task manager, Process Explorer and RamMap. All three give slightly different numbers. Any idea what one would be the most accurate (Im guessing its not Task Manager ) )

Thanks in advance.

 
Posted : 25/11/2015 2:29 pm
(@artee)
Posts: 13
Active Member
Topic starter
 

Just wanted to say a quick thanks to everyone who replied to this. I got a good grade back from the assignment )

 
Posted : 19/12/2015 9:16 pm
Page 1 / 2
Share: