Memory Forensics

2 12 2012

Forensic Science

The word “forensic” comes from the Latin word “forensis”, which means “pertaining to courts of law” (Harper). In Forensic Science and Standards Act of 2012, forensic science was defined as “the basic and applied scientific research applicable to the collection, evaluation, and analysis of physical evidence, including digital evidence, for use in investigations and legal proceedings, including all tests, methods, measurements, and procedures” (Forensic Science and Standards Act of 2012, 112TH CONGRESS 2D SESSION, 2012).

Locard’s Principle

“Anyone or anything entering a crime scene takes something of the scene with them, or leaves something of themselves behind when they depart” (Saferstein, 2001).

When I first read this, it reminded me the “observer effect” of physics; it is impossible to measure any characteristic of a system without being a part of that system. In other words, the existence of observer changes the results of the measurement.

In a crime scene investigation, investigators have to show great care and responsibility to minimize the effects of the investigation process to the investigated phenomena. This is the main reason why investigators turn off all of the systems first by plugging off and then with the help of write blockers (special equipment to prevent a possible change to the disks being read) try to get the bit-by-bit image of the disks. Securing the integrity of data from any unwanted modification attempts is highly crucial for the investigation.

This in turn brings the loss of critical data on the volatile memory (RAM, CPU registers and caches) of the systems. When we turn off a computer, the data that was stored in volatile memory simply get lost because these devices were designed for fast access to data and they can store data only in the presence of electric currents. The transistors in these devices lose charge they are holding over time and get refreshed periodically. When we cut the power, memory transistors lose the charge (and therefore the data) in milliseconds.

To overcome the problem of losing volatile data two new approaches are being found attractive today;

  • Analysis of live systems
  • Memory forensics (Huebner, Bem, Henskens, & Wallis, 2007)

Memory Forensics

Memory forensics basically deals with analysis of memory images. For this, you have to have the memory dump (image) that was taken from the running machine. This can be done by a memory dumping utility like WinDD, WinEn or MDD. In Unix, dd command can be used to reach the memory and get an image of it. What dd does is, simply copying certain number of bytes from input stream (memory as a device under “/dev” in our case) to the output stream (a binary file).

Before we go further, we have to understand a basic point. For being able to get an image of memory we have to use a dump utility which will occupy a space on hard disk and when run, in the memory; and depending on the memory management and file system of the OS this will cause a change in the memory and hard disks, and can make you lose some valuable forensic data. Furthermore, the memory dump file also will occupy some space in the system. As a result, the forensic data that you gathered may not be used as evidence in courts. But this fact does not make memory forensics less valuable. If some forensic tools are implemented in the kernel level, we can expect memory forensics evidences be accepted as sound in the near future (Huebner, Bem, Henskens, & Wallis, 2007).

Memory dump files can have a variety of critical information that was stored by different processes and OS services. These include process information, open files, open connections, passwords and registry hives.

Open Source Memory Image Analysis Tool: Volatility

Volatility[1] is an open source set of analysis tools that was designed to extract forensic evidence from memory images of Windows and Linux machines. It was written in Python and has plugin support to give people a chance to extend its capabilities.

Volatility has a lot of internal modules to extract data about processes, network connections, open files etc. Below is a sample set of commands that come with Volatility framework:

In the Volatility 2.3 Release there are more than 120 internal commands.

pslist Lists the processes that were running on the system at the time of memory dump
psscan Finds also the processes that had been hidden by a rootkit
connections Shows connections that were active during memory dump
files Shows files that were opened by a process
strings Outputs strings in the dump file with corresponding virtual addresses
cmdscan Searches the memory for commands that attackers entered during a cmd.exe shell
getsids Gets security identifiers (SIDs) that were associated with processes
hivescan Scans memory image for well known patterns of registry hive structures

Table 1: Volatility commands (Volatility 2.3 release notes, 2012)

An Experiment and Results

I conducted an experiment with Volatility framework to better understand what critical data can be extracted from a memory image. For this experiment I created two small TrueCrypt[1] volumes, encrypted them with AES and mounted them with “Cache passwords and keyfiles in memory” option enabled for demonstration purposes.

Figure 1

Figure 1: TrueCrypt password dialog

This option is not enabled by default for security risks associated with it. At this point TrueCrypt cached passwords in RAM in an unencrypted fashion. Then, I took a memory dump with MDD[1].

Figure 2

Figure 2: Memory dump with MDD

For extracting keys from this image I used Jesse Kornblum’s “Cryptoscan” plugin[2] for Volatility framework. For the big size (around 3.5 GB) of the memory dump file, the scanning process took more than an hour and in the end the plugin could find the keys searched for:

Figure 3

Figure 3: Passwords in plain text

So, we can see that with this search plugin we could reveal the keys in a little more than an hour.


In this post, we tried to introduce memory forensics, talked about open-source Volatility tool that is commonly used to extract useful information from memory dumps, showed how a memory image can be taken and demonstrated extracting TrueCrypt keys with the help of Cryptoscan plugin. You have to load keys in memory (though not plaintext as in our example) for processor to use them to do encryption and decryption on the fly (Kaplan, 2007). So, although you have strong encryption, memory can reveal your keys and your state-of-the-art, unbreakable encryption will be of no value.


Forensic Science and Standards Act of 2012, 112TH CONGRESS 2D SESSION. (2012, July 12).

Harper, D. (n.d.). Forensic. Retrieved from Online Etymology Dictionary:

Huebner, E., Bem, D., Henskens, F., & Wallis, M. (2007). Persistent systems techniques in forensic acquisition of memory. Digital Investigation, 130-131.

Kaplan, B. (2007). RAM is Key, Extracting Disk Encryption Keys From Volatile Memory, Thesis Report. Pittsburgh: Carnegie Mellon University.

Saferstein, R. (2001). Forensic science handbook. Englewood Cliffs, NJ: Prentice Hall.

Volatility 2.3 Release Notes. (2012, Oct 24). Retrieved from Volatility, An advanced memory forensics framework:






Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: