Memory Forensics Cheat Sheet

By Chad Tilbury on April 24, 2012 in Malware, Memory Forensics — 12 Comments

One of the fun things I have been working on is the huge revision of the SANS Forensics 508: Advanced Forensics and Incident Response material.  Rob Lee has spent the last ten years building and updating what has become one of the most well-known and respected digital forensics training courses.  The golden age of hacking is in full swing and a whole host of new threats have emerged, including state-sponsored espionage (aka APT), hactivism, client-side attacks, and crimeware.  Digital forensic investigations have never been more in demand.  However, computer intrusion and malware investigations require a very different skill set than the cases seen by the average forensic examiner.  Rob saw a great opportunity to update the FOR508 course to train this next generation of forensic professionals.  I estimate that at least 60-70% of the course and nearly every exercise  is new within the last year.  My specific part in the course is writing the new memory forensics day.  My forensic experience dates to the late 1990s, and I can’t remember any other advance in the field that has so fundamentally shifted the balance from the bad guys to the good guys.  Memory forensics is now a mature discipline and we have a wonderful array of  tools available, allowing us to analyze everything from raw memory files to hibernation files to crash dumps to live memory audits.   Memory analysis is a game changing skill and we spend a significant part of the new 508 course learning and incorporating the results of that analysis into the broader forensic process.

I put together a Memory Forensics Cheat Sheet to help with the dizzying array of options available in some of the memory analysis suites, most notably Volatility.  While the cheat sheet focuses on Volatility, it is not the only tool we use in class.  Cheat sheets lend themselves best to command-line activities, and some excellent analysis tools, such as Mandiant Redline, are GUI based.  I hope you find the cheat sheet valuable and I look forward to your feedback!

Memory Forensics Cheat Sheet

12 responses to Memory Forensics Cheat Sheet

  1. Thank you for such a valuable resource. Please note that it is no longer necessary to use either MoonSols’ win32dd or win64dd depending on the target Windows system (x86 or x64) as they have provided a ‘combined’ free utility called DumpIt last summer: http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/

    • I agree, Matthieu Suiche’s DumpIt tool is fantastic! Though keep in mind that in order to make the tool as simple as possible, some functionality is missing from the original Win32/64dd tools. For instance, if you want to send your memory image to a location other than where your tools are being run from (a network share, for example), then you may still want to consider the original Win32/64dd.exe.

  2. Ditto thanks for making the resource available, much appreciated thanks

  3. I prefer FTK Imager to dump the memory. I have tried DumpIt, but it was not succeed for my 8 GB RAM. The Cheat Sheet is fantastic! I am using it for creating the working paper for analyzing the memory. Thanks for your sharing.

    • I always recommend having duplicate forensic tools available. Like you, I have found multiple instances where my memory dumping tool of choice failed when a similar tool worked perfectly.

  4. Great Cheat Sheet. As someone who has about a month of Memory Forensics Experience I started using Volatility then stumbled upon this post. I also recommend another tool by Mandiant. Memoryze for the Mac 1.0 is great (macmemorydumper and the terminal tool memoryze for analyzing dumps). I captured a 10GB Image and easily extracted my password. Also has anyone tried Volatility with a VMware memory file, snapshot, or saved state yet?

    Thanks

  5. My company is really into memory forensics, and we released 2 *free* – as in beer – programs to help forensics investigators in their memory forensics endeavors – http://nopasara.com/products/ – I just wanted to let you know, maybe you’ll find them useful – they’re extremely easy to use, have no expiration, no license costs, are easy to install… well, I believe you can see for yourself!

  6. Is the FOR508 update done? Will the new course be taught in 2014 classes?

Trackbacks and Pingbacks:

  1. Memory Forensics Cheat Sheet - October 30, 2012

    [...] recently wrote on my personal blog about some of the new updates to the SANS Forensics 508 course and included a link to a new memory [...]

Leave a Reply