Threatning Note in ...
 
Notifications
Clear all

Threatning Note in 1 of 20 Devices!!

3 Posts
3 Users
0 Reactions
171 Views
CopyRight
(@copyright)
Estimable Member
Joined: 13 years ago
Posts: 184
Topic starter  

So Guys, theres this threat note found in one of the organizations, and its down to a room of 20 Laptops. So as a forensic expert, i think taking Live RAM images of those machines could determine what laptops are more relevant than others.

So Steps are

1- Take RAM images of all 20 Laptops (If the laptops are switched on) / and if not??
2- Analys those images to seek for key words that were included in the threat note, what piece of software would help me search for those keywords? (String search the memory file?)

Thanks guys.

NOTE All devices are Windows 7.


   
Quote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

this threat note

WHICH threat note?
I mean, if the threat note is something like

I will soon do to you what you deserve.

you have (maybe) just one word to search, "deserve" which is not part of - say - 3/4 of English sentences. (and still holds high possibilities of "false positives")
If the threat is something like

You *bag, *ing b*****d, I have a .45 softnose bullet with your name engraved on it waiting to be shot right through your fat ***.

offers more possibilities. wink

For all that matters for a text search a RAM image is nothing different from "unallocated space" in a disk image or, since it won't be as large as a disk image, not unlike looking for text in a binary file or "carving", like
http//forensic.belkasoft.com/en/bec/en/Carving.asp

Whatever you would use for a text search in these cases would do also for the RAM image.

jaclaz


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
 

… and, what time frame are you talking about?

Did this just happen a few hours ago, a few days ago, a few weeks ago? Your chances of recovering anything from memory is estimated to abs(1/x) as x time passes… (or -1/log(-x) if you prefer 0 to be your no more information.)


   
ReplyQuote
Share: