Learn about memory forensics in Data Protection 101, our series on the fundamentals of information security.
Definition of Memory Forensics
Memory forensics (sometimes referred to as memory analysis) refers to the analysis of volatile data in a computer’s memory dump. Information security professionals conduct memory forensics to investigate and identify attacks or malicious behaviors that do not leave easily detectable tracks on hard drive data.
What is Volatile Data?
Volatile data is the data stored in temporary memory on a computer while it is running. When a computer is powered off, volatile data is lost almost immediately. Volatile data resides in a computer’s short term memory storage and can include data like browsing history, chat messages, and clipboard contents. If, for example, you were working on a document in Word or Pages that you had not yet saved to your hard drive or another non-volatile memory source, then you would lose your work if your computer lost power before it was saved.
What is in a Memory Dump?
A memory dump (also known as a core dump or system dump) is a snapshot capture of computer memory data from a specific instant. A memory dump can contain valuable forensics data about the state of the system before an incident such as a crash or security compromise. Memory dumps contain RAM data that can be used to identify the cause of an incident and other key details about what happened.
The Importance of Memory Forensics
Memory forensics can provide unique insights into runtime system activity, including open network connections and recently executed commands or processes. In many cases, critical data pertaining to attacks or threats will exist solely in system memory – examples include network connections, account credentials, chat messages, encryption keys, running processes, injected code fragments, and internet history which is non-cacheable. Any program – malicious or otherwise – must be loaded in memory in order to execute, making memory forensics critical for identifying otherwise obfuscated attacks.
As attack methods become increasingly sophisticated, memory forensics tools and skills are in high demand for security professionals today. Many network-based security solutions like firewalls and antivirus tools are unable to detect malware written directly into a computer’s physical memory or RAM. Security teams should look to memory forensics tools and specialists to protect invaluable business intelligence and data from stealthy attacks such as fileless, in-memory malware or RAM scrapers.
Memory Forensics Tools
Traditional network and endpoint security software has some difficulty identifying malware written directly in your system’s RAM. Traditional security systems typically analyze input sources like network, email, CD/DVD, USB drives, and keyboards, yet lack the ability to analyze volatile data that is stored in memory. These systems are viable options for protecting against malware in ROM, BIOS, network storage, and external hard drives. However, your data in execution might still be at risk due to attacks that upload malware to memory locations reserved for authorized programs. The most sophisticated enterprise security systems now come with memory forensics and behavioral analysis capabilities which can identify malware, rootkits, and zero days in your system’s physical memory.
Memory forensics tools also provide invaluable threat intelligence that can be gathered from your system’s physical memory. Physical memory artifacts include the following:
- Usernames and Passwords: Information users input to access their accounts can be stored on your system’s physical memory.
- Decrypted Programs: Any encrypted malicious file that gets executed will have to decrypt itself in order to run. This threat intelligence is valuable for identifying and attributing threats.
- Open Clipboard or Window Contents: This may include information that has been copied or pasted, instant messenger or chat sessions, form field entries, and email contents.
While this is in no way an exhaustive list, it does demonstrate the importance of solutions that incorporate memory forensics capabilities into their offerings. There are also a range of commercial and open source tools designed solely for conducting memory forensics. The decision of whether to use a dedicated memory forensics tool versus a full suite security solution that provides memory forensics capabilities – as well as the decision of whether to use commercial software or open source tools – depends on the business and its security needs.
For more on memory forensics, check out resources like The Art of Memory Forensics book, Mariusz Burdach’s Black Hat 2006 presentation on Physical Memory Forensics, and memory forensics training courses such as the SANS Institute’s Memory Forensics In-Depth course.