Extracting digital evidence using memory imaging and bulk extractor

 


In this quick post we are going to extract juicy info from a raw memory image. This method can be helpful to find digital evidence from suspect computer. 

This post is not beginner friendly, so you need to have knowledge of some concept like Memory Imaging. In short Memory imaging is the process of making a bit-by-bit copy of RAM. 

Why memory Imaging 

As your computer memory stores a lot of information and we know the information which can be recovered from a disk image can also be recoverable from memory which can help investigator to extract a lot of sensitive information like runtime system activity, stored password, command and process which was executed recently.

Why Bulk Extractor

Bulk extractor is really useful open source tool, it ignores the file system structure and can scan disk image, memory image, etc and can also extract email, URL, credit card details, etc. This can help investigator to get a good lead in his investigation and can also help malware analyst to get Indicator of compromise. 

 

Memory imaging  

In this step we have to do memory imaging that means i am going to capture the RAM in it's running state.

There are lots of ways to dump memory, but I am going to use Dumpit which you can get from here .

Now to dump the memory (memory imaging) go to the directory where you have stored Dumpit run that program as an administrator. 


Above it is showing the location where it is going to save the memory image in .raw format. Now, after pressing yes, it will start capturing the memory and will dump it on the mentioned destination, the time it's going to take depends on the size of RAM. The higher the memory the more time it is going to take.

 Extracting the data 

After getting the memory dump it's time to fetch the data from it. For this I am going to use Bulk Extractor , there are two way to use bulk extractor one is using command line interface and another is using graphical interface. 

You can download bulk extractor from here (graphical interface) and for command line interface you can get it from here 


Now you should have a RAW image to investigate after memory dump. That looks like the picture below

 


 

I am going to use graphical interface of bulk extractor for extracting evidence.  Start bulk extractor select go to tool and select run bulk extractor.




Now select your RAW image file. And make sure to select what plugin you want to run with bulk extractor on the right side. With default option you can also select Facebook option to check what Facebook activity the user did on his browser.

 



Now select your memory image and output directory and choose submit run

 

Bulk extractor has started parsing the image and depend on the memory size it will take some time to complete the scan.



Once scanning is completed you should see files extracted by bulk extractor in your output directory.

start bulk extractor and select the xml file which should be inside you output folder and the memory image file

 


 Browser history 

In the below screenshot I have selected domain from the option and we can see website thehiddenwiki.org  which was opened by the user and on the image side we can see the exact URL which was opened at that time.


There are other twitter URL which we can see in the image side of bulk extractor ( you can click to enlarge image)



You can also extract phone number and can see where it was entered on the memory image side.





There are lot's of other information and data which can be extracted using bulk extractor. I have used memory image but you can use disk image, virtual machine image for data carving or recover. 


Some points to remember 

During disk imaging or capturing live memory make sure you have a write block enabled. Do not install any tool on the victim machine, use external drive to capture memory or disk image. 

For creating disk image you will need an external storage which should be of exact same size as the victim machine hard disk. 

To capture memory from external drive you can use Belkasoft Ram Capture





Comments

Post a Comment

Popular posts from this blog

USB forensic : Find the history of every connected USB device on your computer

Image
Sometime we need to know what USB devices were connected to our computer in our absence.These information could be very useful for forensic examiner or in general case also where we just want to know what USB devices were used . How do this works We all know about registry on windows, a registry is a database in windows which stores settings of the operating system, hardware devices, software programs and user preferences settings. Whenever we insert a USB drive in a computers a registry key with name "USBSTOR" is created this registry key store information about that USB device and whatever info the OS need to know can be found in this registry key.  Finding the all attached USB history To find the usb  history of your device just do the following step below  STEP 1  Go to run and type "regedit".  STEP 2: In the registry go to  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR and there you will find a registry key with na
Read more

Crawling pastebin to find specific pastedump

Image
In this post we will crawl into pastebin.com to find specific pastebin dump. For example if we want to find paste for specific keyword like "password" we can get all the paste containing that keyword. Preparing the Attack Usually some sites don't allow web crawling and by doing so you may get banned from accessing that site, which will also make this method vain.  So before doing this i recommend you to use THIS tool to anonymize all your traffic so that if we get banned we can switch our IP address immediately.  Start the Attack STEP 1 Clone into this URL by typing https://github.com/kahunalu/pwnbin.git STEP 2 Now type python pwnbin.py -k pass -n 10 -m 10 here "-k" is the keyword you want to search for "-n" is the number of paste you want to crawl and "-m" number of keywords matches you want.  As we can see above we have found a match and it's now saved to log.txt file so it's time to see the dump co
Read more

Hack WinRAR password by using Brute force attack

Image
Winrar have option to password protect your files in it.Some times we got password protected rar files or we forget our password so we go online to search to crack password of these type of rar files.Some website tell about some program who promises to decrypt the password, But unluckily there are lots of spam ,advertisement, on internet who ask you to complete the survey to download the program that can unlock the password and absolutely that's a spam,some websites also provide direct link downloadable  program to crack rar password but when we download them instead of doing that, they install lots of unwanted sponsors software and make your PC slower.But now we have a easiest way to get the password of rar file by using brute force attack. No spam,no survey,no unwanted software and with proof.So lets start the hack and follow some simple  step by step guide given below.  1 > For example i am going to set password in rar file 2> Now when ever i am try
Read more

Fileless malware Analysis with Cuckoo sandbox

Image
What is cuckoo Sandbox Cuckoo is a dynamic malware analysis sandbox which is open source and completely free. We can submit any malicious binary file and cuckoo will provide a detailed report of the malicious file, including the behaviour of that file during execution.   What is Fileless Malware A fileless malware is a favorite technique for malware authors, what this type of malware does, it doesn’t write anything on the disk to bypass mostly string base detection. The malware executes an obfuscated command usually PowerShell and during run time antivirus could not detect the strings which are being executed and after injecting it in memory the command get deobfuscated. Cuckoo Interface and sample analysis To run cuckoo just type cuckoo from your terminal, this will start cuckoo service. Now to get the web interface type cuckoo run webserver this will start the cuckoo web interface on its defined URL and port address as shown below.
Read more

Web application penetration testing: Tools and Techniques for web security auditing

Image
Every pentester has it's own tool and technique for web app security auditing, Some time it depend on the type of website  we are pentesting. We are gonna see some common tool and technique that can help us to audit our web application security. Detecting web application firewall and other services You can start with by detecting is there any web application firewall in use? Later we can see if there's any way to bypass it.  Recommend tool :  fofa.so It is a cyberspace search engine launched by White Hat. It can help researchers or enterprises quickly match network assets by performing cyberspace mapping, for example, analyzing the scope of vulnerability.  shodan.io It is most poplar search engine among pentester for finding various online vulnerable IoT devices, online open ports f rom various web servers. wafw00f   This tool allow you to detect and identify what Web Application is in use that is protecting the website.  Bypassing Cloudfl
Read more