Why Windows RAM Should Be Part of Triage

Analyzing the contents of RAM has been a hot button topic for some time now.  It makes sense in a lot of ways, after all RAM is a block of storage, so why not image it.

There is little doubt that RAM can contain an innumerable amount of important information, but how does imaging RAM fit into your process when you are collecting data at the scene?

Collecting RAM vs Triage Tools

Triage tools by their nature rely on Windows APIs and certain structures of the Windows kernel to collect their data.  This could put the entire process at risk of being subverted by malware that may be present on the computer.  Malware authors are aware of the way triage tools work, and deliberately code their malware to corrupt the analysis.  This is called Direct Kernel Object Manipulation.  In essence, a piece of malware that is written in such a way can hide itself from a Windows processes like Task Manger, or cloak its connections to operations like Netstat.

RAM analysis can provide a clearer picture of what is going on.

Collecting RAM

There are several tools available to collect Windows RAM, both open sourced and commercial.  They are of course of varying quality.  Examiner’s should always test their tools carefully to ensure that the tool does not leave a big footprint.  In other words, the tools should be small enough that it won’t use a significant amount of space in the RAM attempting to be captured.

Examiners should always be cognizant that they are running a RAM capture process on a live computer, so documenting each step is key in this process.

Once RAM Has Been Collected

The output of most RAM collection tools is essentially a RAW dump of the contents of RAM.  BlackLight will process RAM collections that are in most (non-proprietary) formats.  Triaging the RAM at the scene takes minutes, and can easily provide clues needed to further investigations.

Let’s have a look at how triaging RAM can be helpful in a child exploitation case.

Adding RAM To Triage

Once a new case has been created, select the Add button.  The Add Evidence window opens, select Add again and navigate to the location of your memory image.

Adding a memory image to BlackLight

Figure 1:  Adding a memory image to BlackLight

Once the memory image has been added, BlackLight prompts for the amount of processing desired.  Let’s just triage the memory.  Full complete processing can be done at a later time.

BlackLight ingestion options

Figure 2:  Ingestion options, triage the memory

Processes, Libraries, Sockets, Handles, Drivers

Once complete select the memory image then System ➔ Memory where five tabs are present:

  • Processes- Active running processes
  • Libraries- The .dlls that are being used
  • Sockets- Network connections
  • Handles- These are Windows services being accessed
  • Drivers- Drivers that are being used on the system

As stated earlier, we are going to make this a triage of a computer in a child exploitation case (keep in mind this only an example, this could be any type of case from intellectual property to tax evasion to homicide).

Examining the Processes of this running Windows computer, we find a known peer-to-peer file sharing application, Shareaza running.

Artifacts related to ShareazaFigure 3:  Artifacts related to Shareaza

Selecting Shareaza populates the Libraries, Sockets, and Handles that are specifically associated with Shareaza. As Shareaza is a file sharing application, we will focus on Sockets.  The IP addresses shown represent computers that we are connected to.

IP addresses related to ShareazaFigure 4:  Showing IP addresses that Shareaza connected to

These IP addresses could represent people with whom this user is trading child exploitation material. Meaning potential new suspects could be quickly established, simply by triaging RAM.  Further if this was an undercover investigation where an investigator connected to a suspects' computer to download child exploitation material, the undercover officer’s IP address would be listed.  This assists in proving that the right computer is being investigated.

There are more ways to uncover information. For example, by using keyword searches examiners can discover specific words entered by the user to conduct searches when using the file sharing software.

Despite taking a very minimal amount of time, we have managed to obtain a fair amount of important data simply by successfully triaging a RAM dump.

Learn more on Windows forensics with our blog series.


Leave a Reply

Sorry, you must be logged in to post a comment.