RAM Analysis

Random-access memory (RAM) is a form of computer data storage. Today, it takes the form of integrated circuits that allow stored data to be accessed in any order (i.e., at random). “Random” refers to the idea that any piece of data can be returned in a constant time, regardless of its physical location and whether it is related to the previous piece of data. (Wikipedia Definition)
Lots of information like Email Conversations, Email addresses, Chat Records, Web-pages, URL, user names, searched item in search engine etc. can be found in RAM.
I have also found Email Conversations and URL  from the past.  This article discusses about basic techniques which can be used to dump and analyze the RAM.
So, lets start to get our hand dirty…. :)

Step 1  RAM Acquisition


There are many different methods like using Hardware devices, crash dumps and using software for dumping the Physical Memory(RAM).
But in this post , I will discuss the software method for acquisition of physical memory using command line tool MDD(Memory DD) .
You can download MDD tool from this link. .
Open command prompt. Enter mdd_1.3.exe -h to view all the options available.

C:\Documents and Settings\Administrator\Desktop\RAM>mdd_1.3.exe -h
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance -> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w’
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c’ for details.
mdd ManTech Physical Memory Dump Utility
Usage:
mdd <-o OUTPUTFILE> [-qvcw]
-o OUTPUTFILE output file for dump
-q quiet; no output except on error
-v verbose; output offsets of failed mappings
-c redistribution conditions for GPL
-w warranty information for GPL
C:\Documents and Settings\Administrator\Desktop\RAM>


For dumping physical memory(RAM) enter mdd_1.3.exe -o D:\RamDump.img
D:\RamDump.img is the path and file name for the image.

C:\Documents and
Settings\Administrator\Desktop\RAM>mdd_1.3.exe -o D:\RamDump.img
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission
Assurance
-> This program comes with ABSOLUTELY NO WARRANTY;
for details use option `-w’
This is free software, and you are welcome to
redistribute it
under certain conditions; use option `-c’ for
details.
-> Dumping 3317.88 MB of physical memory to file
‘D:\RamDump.img’.
849254 map operations succeeded (1.00)
123 map operations failed
took 939 seconds to write
MD5 is: 4fa719129198f8a360a9469b624bda7f
C:\Documents and Settings\Administrator\Desktop\RAM>

Step 2 RAM Analysis


Now, we have successfully dumped the physical memory to a file. If this file is a crash dump file then we can easily analyze this file with window debugger.
But this file is not a crash dump file format so I will show one of the basic techniques to analyze the RAM is to search for useful strings.
So, now we will extract all the strings from this image and save the strings into another file using Strings utility from Sysinternals. You can download this tool from this link.
Open command prompt and enter Strings.exe D:\RamDump.img > Output.txt

C:\Documents and Settings\Administrator\Desktop\RAM>Strings.exe D:\RamDump.img > Output.txt


Now you can use any text-editor to view and search the contents of Output.txt , I prefer to use Notepad++.
You can search for string like “www.”, “@”, “?q=”(for search query) etc. to find some useful info about the person using that computer.

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)