As previously mentioned, memory acquisition is not a trivial task. You’ll need a versatile tool set and the ability to adapt your techniques based on the specifics of each case and the environments that you encounter. Figure 4-1 shows a relatively simplistic decision tree based on some, but certainly not all, of the common factors you’ll encounter in the field.
For example, one of the first questions you’ll need to ask is whether the target system(s) is a virtual machine (VM). This can have a huge impact on your methodologies, because if the target is a VM, you may have options for acquiring memory-using capabilities that the hypervisor provides for pausing, suspending, taking a snapshot, or using introspec-tion. However, it is important to be familiar with the different virtualization platforms and their respective capabilities because some products require special steps and store VM memory in proprietary formats.
Memory Acquisition
71
Figure 4-1: A diagram of some of the initial factors you’ll need to consider before acquiring memory
If the target system is “bare metal,” such as a laptop, desktop, or server, you need to deter-mine whether it is currently running (remember that the machine might not always be in your physical possession). If it’s hibernating or powered down, the current state of memory is not volatile. But, in many cases, recent volatile data may have been written to more persis-tent storage devices such as the hard disk. These alternate sources of data include hiberna-tion files, page files, and crash dumps. Acquiring memory from non-volatile sources entails booting the target system(s) with a live CD/DVD/USB to access its disk or making a forensic duplication of the disk image and mounting it (read-only) from your analysis workstation.
A running system provides the opportunity to acquire the current state of volatile memory but you’ll need administrator-level privileges. If a suspect or victim is already logged on with an admin account, or if they’re cooperating with your investigation (such as to provide the proper credentials) you’re in luck. You also might have admin access due to your status as an investigator (credentials were provided to you by the backing corporation). In these scenarios, you can use a software-based utility, which we’ll describe shortly. Otherwise, the options are not so straightforward. It might be possible to gain admin access through a privilege escalation exploit (an offensive tactic that may invalidate the forensic soundness of your evidence) or by brute force password guessing.
Part I: An Introduction to Memory Forensics
72
Another option is hardware-assisted acquisition. In this case, you do not need cre-dentials for the target system(s)—physical access suffices. You’ll rely on Direct Memory Access (DMA) using a technology such as Firewire, Thunderbolt, ExpressCard, or PCI.
The downside to this method is that unless the target machine is already equipped with a device (or if it supports hot swapping devices), you have to power down the target system to install the required hardware adaptors (and doing so destroys your volatile evidence). Other disadvantages include the fact that Firewire only permits acquisition of the first 4GB of RAM, which can severely limit your success for large-memory systems.
Additionally, PCI devices for memory acquisition are extremely rare, so they’re also quite expensive. In fact, we currently know only one product that’s commercially available and costs about $8,000 USD (WindowsSCOPE).
When the factors lead you in the direction of software-based acquisition, you still have many decisions to make. Consider the following points:
•
Remote versus local: Do you (or a fellow investigator) have physical access to the target system(s)? A case can quickly become complicated if the computer is located in another state or country. Also, you might encounter situations in which the target is a server with no keyboard or monitor attached, sitting in a security or network operations center. In these situations, remote acquisition (over the network) might be your only option.•
Cost: Do you have budgetary restrictions on the acquisition software you can buy?Obviously, the restriction will affect which tools are available to you.
•
Format: Do you require memory in a specific file format? Later in the chapter, we’ll describe how many analysis tools have limitations on the formats they support.However, you can always convert between formats if you initially capture memory in a format that’s incompatible with your desired analysis tool(s).
•
CLI versus GUI: Do you prefer command-line or graphical user interface (GUI) tools? There is a common bias that GUI tools leave a larger footprint on the target and have a larger attack surface area, so they’re bad for forensic acquisitions. However, a well-written GUI produces far less noise than a poorly written command-line tool.Also, you might not have console access or Virtual Network Computing (VNC)/
Remote Desktop Protocol (RDP) services on which to run GUI applications.
•
Acquisition versus runtime interrogation: Do you need a full physical memory dump or just the ability to determine the running processes, network connections, and so on? Do you need to continuously poll the system for changes? In corporate environments with hundreds or thousands of systems, it’s not practical to acquire full memory dumps just to check for the existence of a particular indicator. Instead, you can perform a quick sweep throughout the enterprise, checking a few specific areas of memory on each machine.Memory Acquisition
73
We’re often asked this question—what tool should I use for acquiring memory? There’s really no clear-cut answer. The right tool for a particular job depends on the job. After you determine the specifics of the case, you can focus on selecting a tool that best sup-ports your goals. Later in the chapter we present some specific precautions you should take when performing acquisitions.