RAM is often one of the first systems where artefacts related to a cyber-attack can be found

The importance of RAM in computer forensic analysis

photo_camera memorias ram

When we talk about computer forensics, we refer to any collection of information on a machine, where information useful for an investigation can be found. Some of the collection steps that are carried out in a forensic analysis are to collect data from various machines on the network, any information found on computers that are of importance, collect information from the hard drives of the machines, and also collect information from RAM memory.

RAM memory

RAM is a volatile or dynamic memory that is used to store data and instructions that are required for the execution process of a program. This memory has certain particularities that make it different from its counterpart ROM memory. The most notable of these is precisely its volatility. This memory is ephemeral, so it is stored for a short time in the equipment. As it is a volatile memory, the moment the machine is turned off, everything stored in the RAM memory disappears, and cannot be recovered in any way.

The RAM memory is the memory that is in the machine and is used to store variables, programs and all kinds of data needed for its correct operation. The moment a program is executed, all its data is stored in RAM memory.

disco duro

When accessing a computer's RAM memory, many more artefacts can be found than in other places, such as the hard disk.

In it we can find various data that are of interest in the field of computer forensic analysis: open communication ports in the system, encryption keys that are written to memory during the execution of the programmes that use them, etc.

The importance of this memory in computer forensic analysis. RAM is often one of the first systems where artefacts related to a cyber-attack can be found.

This happens for several reasons: Information needs to be retrieved about the events that have taken place in a particular cyber-attack, and RAM contains most of the details about the processes that have been active and the processes that have been accessing the memory.

disco duro

It is a very quick resource as far as acquisition is concerned, since in order to access the RAM memory you need to have access to a physical computer, and therefore there is no inconvenience in carrying out this type of investigation, which can be done on site.

However, it is necessary that, at the moment when it is known that a cyber-attack has taken place, one of the last things to do is to turn off the equipment involved, as this could mean the loss of this type of evidence, since, as mentioned above, RAM memory will only store data when the system is switched on.

Some of today's malware runs in RAM, so in order to detect it and analyse its behaviour, it is important to analyse a copy of the volatile memory of the computer where the suspicious activity was detected. But first it will be necessary to perform the acquisition process.

disco duro

The acquisition of RAM

In order to dump the memory (memory dump), there are several tools that will help us to achieve this. It is always advisable, as in any acquisition process, to use those that have been previously tested and that the researcher feels comfortable using, having checked that they work correctly.

Once acquired, it is necessary to proceed to the next phase, that of analysis.

Analysis of a RAM memory

For the analysis of this memory, there are several possibilities of different software programmes focused on this type of research, with Volatility being perhaps the best known tool.

disco duro

Volatility is an open source forensic tool for incident response and malware analysis. It is written in Python and is compatible with Microsoft Windows, Mac OS X and Linux. The tool contains a number of commands that allow the investigator to trawl through the data stored in memory looking for possible anomalies. It is possible to collect information about various elements such as scanning the open ports and the list of connections, searching the history of executed commands, displaying information about devices, viewing information about the different processes, and so on.

Conclusions

One of the key elements when carrying out a forensic exercise on a computer or network of computers is the correct acquisition and analysis of RAM memory, as this stores information that may be crucial in an investigation and that cannot be acquired in other ways. Taking into account its sensitivity due to the fact that it is a volatile type of memory, it is of vital importance that the investigator has a thorough knowledge of this type of process to avoid the loss of this type of evidence

Ainoa Guillén González, coordinator of the Cybersecurity Area of Sec2Crime 

More in New technologies-innovation