I was recently reading a paper on memory analysis and some of the information got me thinking. The aurthor was discussing using strings to parse out valuable information such as passwords, login and username credentials, but what do you search for in your stings output. The author included a few examples of known enties within memory. See below. I was wondering if anyone else has come up with some known enties that might work.
Below demonstrates some fingerprints present in our set of patterns.
1 Yahoo Web Mail passwd
2 Yahoo Web Mail login
3 Horde Web Mail imapuser =
4 Horde Web Mail pass =
5 WinSCP password 00 00 00 08a
6 Yahoo Messenger buddies = (b -(this is an elevated b)
Thanks,
I have read similar information about searching RAM dumps. However, most of the time the investigator does not know what User name or programs were used. Most data out there is in regards to processes and other data for malware analysis. I felt the material fell short when it comes to investigations. Most just reference using Strings.
So, I created a series of documents with Hex search terms for my Thesis (instant messaging/passwords/portable software/google searches/mapquest and mapblast/and more. I am still finalizing them.
I did some testing and found that JAD Software's Internet Evidence Finder (although it doesn't find everything) it does a pretty good job against a memory dump. WinHex or X-Ways Forensics also do a good job for data carving against a RAM Dump. I found the hex search terms were very consistent. Fortunately memory dumps are still relatively small. If I were a programmer I would compile these search terms into a GUI interface.
Regards,
Chris Currier
CMT Digital Solutions, Inc.
Chris,
I am doing some work on analysing web browsing information gathered from RAM dumps to determine whether there was any use of firefox "private" browsing. I have understood that there is no specific way to find this information within the dump however there is still a need to discover this information for useful purposes such as the ones you have mentioned.
I am particularly interested in the methods of collecting URL addresses from memory in order to highlight websites visited. Is there much information you have come across why this hasn't been achieved yet?
I would also like to see these search terms you have come up with, sounds very interesting!
Jason
These need to be updated more than likely. I have found JADSoftware's Internet Evidence Finder works well with examining RAM Dumps.
http//
I will be updating these for an article. I have also done some that I need to add with regards to portable programs run from a USB drive. However, I am currently looking at trying the same approach with Mac Ram Dumps.
Regards,
Chris Currier
I know they are doing some work with volatility, but again, it came down to using grep and strings to finally get at the data.