Do not forget the RAM it may be useful to the investigation.
Capture all the things !
Yet how many times in an investigation have you actually looked at the RAM?
There has been a shift in the last decade from the notion that you find all you need from the traditional examination, unless there was a very specific need to investigate the RAM in the first place ( i.e. Malware investigation )
Let us take a look on why it is a good idea to review that capture, not just because it ‘was on the checklist’ to do.
In todays digital devices, operating systems are demanding large amounts of Random Access Memory often in excess of 8GB and it is not uncommon to see domestic laptops and desktops in the 32GB category . As such the capture and examination of this large quantity of data is a vital step in an investigation.
Whole cases can be made and lost based on the contents held in volatile memory . A competent defence could be made that the RAM may have contained information that gave reasonable doubt, and as such it should have been preserved.
So what exactly is Volatile data ?
So as long as the device is running there is potentially data of interest in the RAM.
Digital systems require power, when that power is absent then naturally the device will not be functioning. Often investigators will not want to ‘pull the plug’ on a running system as there is a business need to find artefacts of a breach or attack. More over disruption of production systems could have a greater impact to a business than the initial investigation may lead to.
These artefacts can then be used to define and upgrade defences. This data is often referred to as Volatile.
As I mentioned before there is an order to volatility and the process of how and what you should collect in an abstract manner, every operating system will have nuances that need to be understood and addressed by the examiner but in the main the collection of RAM will involve the introduction of either a capture tool or using a native command.
One of the biggest challenges to digital forensics is the implementation and usage of Encryption by default on storage media such as Hard and Solid State Drives. Within the RAM capture it may well be feasible to recover not only encryption keys, yet more importantly open network connections !
There is a whole host of juicy stuff within the RAM for the vigilant investigator . (Note not a full or comprehensive list)
- Credentials
- Chat Messages
- Encryption Keys
- Emails
- Open Network Connections
- Passwords
- Printer Files
- Running Processes
- Unsaved Documents / Code
In summary – RAM is short for Random Access Memory. It is a key component for a digital device. RAM allows the temporarily storage of data in the system. Yet RAM is volatile, it can be easily altered or destroyed or lost due to an absence of power to a system.
Within RAM may very well be additional data that will be of interest during a forensic examination.
Next time we will look at some methods to capture RAM.
Part One in a series – Ram Capture Adventures