Authors: Aaron Sparling
DFRWS USA 2019
by Aaron Sparling
Memory forensics is fast and efficient and the speed begins with the acquisition process prior to analysis. Memory acquisitions on systems of 32 gigabytes in size can be completed in under 4 minutes, which means that the examiner can begin immediate analysis of the case via memory forensics and reduce examination backlogs. The triage process can and should take place prior to examining the file system. This can be accomplished by acquiring a copy of the systems physical memory and conducting targeted memory analysis on the acquired RAM capture in parallel while the forensic imaging of the systems hard drive(s) are processing.
Memory forensics in a fraud investigation of a single suspect/user can be completed using the Volatility framework. Through the examples and methodologies introduced in this presentation, an examiner can quickly and easily track user activity, identify external devices, build user timelines, conduct registry analysis, identify applications and files the user may have accessed, locate passwords, and decrypt encrypted volumes. This presentation will also highlight how implementing memory forensics in the early stages of the analysis process the examiner will likely identify targeted indicators that will speed up their filesystem analysis.