<aside>
💡 Hey! Foxy here. Here is further information for Memory Analysis and all the challenges/resources. Here’s the slide : https://www.canva.com/design/DAGtIGKbY00/UR0i8W2yCcC9PlYLbRlmdQ/edit?utm_content=DAGtIGKbY00&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton
</aside>
Before we jump straight to the challenges writeup, Let’s refresh again regarding the whole concept of memory analysis and the important key takeaways of it.
WHY memory analysis → to collect valuable information and evidence from compromised systems.
WHAT can we gain from analysing memory? → process of capturing and analyzing a computer’s memory to uncover valuable digital artifacts.
WHAT do we investigate? → We investigate and analyzes volatile data in a computer’s memory (RAM).
Disk forensic is NOT the same as memory analysis.
- Memory is highly volatile (lost on power-off). Disk data is largely persistent. This means that it will still remain in the memory until it is overwritten.
- Memory captures the live, dynamic state of the system. Disk forensics analyzes stored, persistent data (files, logs, registry hives, slack space, unallocated space).
- Memory contains processes, network states, decrypted data, ephemeral artifacts. Disk contains files, folders, installed programs, system logs, hibernation files, page files, which can contain memory dumps.
- Memory capture requires specialized tools running on or connected to the live system. Disk capture usually involves write-blockers and imaging offline drives/media.
- Memory analysis is often the first step in live system triage due to volatility. Disk analysis can follow.
- Memory provides evidence of current activity and runtime behavior. Disk provides evidence of historical activity, installed components, and configuration.
Challenges