Volatile Memory (RAM) Forensics in Cybercrime

Shivi Forensics
TOPIC: Volatile Memory (RAM) Forensics in Cybercrime 

Written By: 
Hrigvi Singh Banafar
Volunteer, Shivi Forensics 

Introduction 
Volatile Memory Forensics, particularly RAM analysis, captures and examines transient data in a system's Random Access Memory (RAM) to uncover evidence of cybercrimes like fileless malware, ransomware, and unauthorized access that leaves minimal disk traces. This live forensics technique is essential because RAM holds real-time snapshots of running processes, network connections, encryption keys, and injected code, which vanish upon power loss or reboot.

BACKGROUND OF VOLATILE MEMORY FORENSICS
A computer's memory resides in their Random Access Memory (RAM). RAM is a crucial component of any computer system as it allows for the computer to perform most of its everyday tasks like running applications and multitasking. As mentioned earlier, RAM is volatile and it is advised to not shut off a computer once a system has been compromised. Doing so will wipe the computer's memory and reset it. Instead, leave the breached computer on disconnect it from any network(s) to avoid computer memory from resetting. When capturing an image of a system's RAM, it is put into a file called a memory dump.

WHY VOLATILE MEMORY FORENSICS/RAM ANALYSIS MATTERS IN INVESTIGATIONS IN TODAY'S WORLD?
With the rise of sophisticated cyber attacks and increasingly complex computing environments, the importance of RAM analysis has grown significantly. Attackers frequently use techniques that leave little trace on permanent storage but operate extensively in memory. Fileless malware, for example, runs entirely in RAM and leaves no traditional footprint on the hard drive. Detecting and analysing such threats requires forensic professionals to delve into volatile memory.

Additionally, many digital investigations involve rapid response scenarios where investigators must capture volatile data before it disappears. This is particularly relevant in incident response and live forensic investigations. Without analysing RAM, investigators risk missing critical evidence that could reveal the attacker's methods, tools, or even their identity.
RAM forensics examination is also vital in understanding encryption. Encryption keys that unlock protected files or communications often reside temporarily in memory. Without extracting these keys from RAM, decrypting relevant data might be impossible. Hence, RAM analysis bridges the gap between encrypted disk data and readable evidence.

INFORMATION OBTAINED FROM RAM ANALYSIS
RAM contains a wealth of volatile data that can be extracted and which can aid the field of forensics to a great extent.
1. Past and current network connections: THis gives the remote IP address and port number used in network connections. This information is useful for detecting a computer intrusion, identifying the IP address the malware is communicating with, the source of criminal activity, or where the information is being transferred.
2. List of running processes at the time of RAM capture: A list of active processes running when the RAM was acquired provide an idea of how the system was being used. The Task Manager only provides an apparent knowledge of what is running on a system. What is not revealed is a process running such as a rootkit, that is, a hidden Trojan used to exfiltrate data or allows remote access, or the key logger that is siphoning all important user data.
3. User names and passwords: Users input their user name and password to access an account many times for authentication of e-mail, social networking accounts, or their home's wireless access point. All of this data passes. All of this data passes through the RAM.
4. Loaded Dynamically Linked Libraries (DLL): A list of all the DLLs associated with a running process helps in identifying a malicious DLL that might have injected itself into a process.
5. Contents of an window: This includes any keystrokes into webmail, an e-mail client, values into a form field, and an IM chat client and chat sessions, including participants.
6. Open registry keys for a process: It is crucial to be able to identify registry keys associated with a malicious process. By being able to associate open registry keys to a certain process, an analyst could tie functionality to taht process, such as networking capabilities, encryption, or being able to associate the secure identifier (SID) to the user account who started the process. It is also important to identify the method used by the malware to sustain reboot. This information can identified from the relationships between a process and its registry keys. One notable thing is that the registry values will be those that are open at the time of the RAM acquisition. However, the registry keys that was responsible for the malware surviving a reboot could still be listed in RAM and could be found by dumping the address space for that process.
7. Open files for a process: Being able to list open files associated with a process would reveal any open files that are currently being used by the
identified malicious process. This is helpful in identifying a resident file that is logging keystrokes, or user names and passwords. This is also important in identifying a configuration file used by a malicious process, even if it is encrypted on disk. This file could be found in memory and its contents read.
8. Unpacked/Decrypted versions of a program: One of the most valuable contributions that memory forensics can provide to an analyst is the ability to carve out an identified malicious process out of memory. If a malicious files or binary is encrypted on a hard drive the analyst would have a very hard time decrypting the file in order to obtain its contents. However, every file that is read or is executed will have to unpack or decrypt itself to run. By following the process below, the malicious file could be identified, carved out of memory, and analyzed through static analysis or by scanning with an anti-virus tool.
9. Memory Resident Malware: Memory Resident Malware are becoming more prevalent. THere is malware in the wild that will only reside in a system's memory, leaving no footprints on the system's hard drive. Any data collected could also just be stored in memory before being exfiltrated to a remote system.
a) Standard Procedure for RAM analysis
The official ACPO Guidelines recommend the following standard procedure for capturing a memory dump during RAM analysis: 
  • Perform a risk assessment of the situation so as find out whether it evidentially required and safe to perform volatile data collection. If so, install volatile data capture device e.g. USB Flash Drive, USB hard drive, etc. Run the volatile data collection script. 
  • Once complete, stop the device particularly important for USB devices which if removed before proper shutdown can lose information.Remove the device. 
  • Verify the data output on a separate forensic investigation machine other than the suspect system.
  • Immediately follow with standard power-off procedure.
b) Tools and techniques for analysing and capturing memory dumps A range of tools and methods are available to capture memory dumps.
From the forensic perspective, there are certain requirements that any such tool must strictly conform to. In no particular order, the list of essential requirements goes like this.
1. Kernel-mode operation
2. Smallest footprint possible
3. Portability
4. Read-only access

LEGAL AND PRIVACY STEPS BEFORE CAPTURING VOLATILE MEMORY EVIDENCE
Legal and privacy steps before capturing volatile memory (RAM) evidence in cybercrime investigations require securing judicial authorization, documenting the scene, and minimizing data exposure to ensure admissibility and compliance.
1. Legal Prerequisites
Obtain a search warrant or court order specifying volatile data acquisition, as live RAM capture risks altering system state and requires probable cause under laws like the U.S. Fourth Amendment or India's IT Act Section 79. Notify chain of custody stakeholders and confirm jurisdiction rules on live forensics to avoid suppression in court. Verify investigator training and tool validation for legal defensibility.
2. Privacy Protections
Assess and limit scope to investigation-relevant processes, avoiding full dumps that captures unrelated personal data like passwords or browsing history. Implement per-process capture where feasible to respect user privacy during employer or law enforcement analysis. Document consent ( if voluntary) or warrant boundaries, and segregate non-evidentiary data post-acquisition.
3. Pre-Capture Procedures
Power on systems only if necessary, capture screen states, and photograph the setup without interaction. Prioritize volatility order: collect RAM before network logs or disks to prevent evidence loss. Test tools on similar systems and prepare hashes for integrity verification.

FOLLOW OUR SOCIAL MEDIA FOR MORE UPDATES 

Join the Whatsapp Channel for more updates

𝐒𝐡𝐢𝐯𝐢 𝐅𝐨𝐫𝐞𝐧𝐬𝐢𝐜𝐬 
Its time to study and spread knowledge

Contact us
+918576803105
shiviforensics@gmail.com



0 Comments