If you load an image of memory into Volatility, I'm sure you could get the process memory of ftp.exe or similar and see if it contains PII, correct? However, in most cases the data would already be sent and you wouldn't have a process currently sending data like in that case.
So, if you find sensitive data in memory from a string search, is there a way to tell which process was using that data if the process is dead? If PII is in memory, how can you be sure data was compromised and sent to China, and not just in memory for some legitimate reason.
If you load an image of memory into Volatility, I'm sure you could get the process memory of ftp.exe or similar and see if it contains PII, correct? However, in most cases the data would already be sent and you wouldn't have a process currently sending data like in that case.
So, if you find sensitive data in memory from a string search, is there a way to tell which process was using that data if the process is dead? If PII is in memory, how can you be sure data was compromised and sent to China, and not just in memory for some legitimate reason.
Memory is part of the computer system and should be analysed in conjunction with the suspect’s computer (HDD). Furthermore, the suspect’s computer is often connected to a network, therefore it should be analysed together with other network devices (firewall, router, mail server etc). If something incriminating was found in memory, one should attempt to verify his/her findings from other sources. If you find a string in memory and check for OS event logs, you may find that there was no network connection at the time. You check Anti-Virus updates log and confirm that there was an error at the time and Anti-Virus was unable to update virus signatures etc. etc. etc.
If you load an image of memory into Volatility, I'm sure you could get the process memory of ftp.exe or similar and see if it contains PII, correct? However, in most cases the data would already be sent and you wouldn't have a process currently sending data like in that case.
Sure, and you may have to consult other data, rather than just the contents of memory. In many cases, that data (network traffic captures) may not be available. In others, it may be…such as if data that is unique in format and content and specific to your systems appears on a public web site…
So, if you find sensitive data in memory from a string search, is there a way to tell which process was using that data if the process is dead?
I would think that in most cases, no. The reason being that when a process exits, several of the elements in structure are zeroed, such as the PTD, similar to the sectors of a file that's been deleted being freed for use by the OS. As such, a string sitting in a memory page not used by any current process/thread will most likely not be attributable directly to a specific process or object in memory.
However, using that string, and assuming that it is somewhat unique, I would definitely perform a keyword search across available media.
If PII is in memory, how can you be sure data was compromised and sent to China, and not just in memory for some legitimate reason.
It's all about the context. You've got a valid question…if PII is visible in the strings of a memory dump, but those memory pages are not attributable to any particular process or thread, how can one then determine that the PII was compromised (as opposed to viewed by a legitimate user, or processed in some legitimate manner)?
This is why analysts generally tend not to rely on single pieces of information, but rather look for correlating data to support findings.
It's much clearer now, thanks guys. )