Professional Documents
Culture Documents
3 Forensics Investigation
3.1 Analyzing Hard Drive Forensic Images, Analyzing RAM Forensic Image, Investigating Routers
RAM capture is the process of capturing live memory from a running computer
system. RAM analysis consists of performing forensic analysis on the data gathered
from the live computer.
After conducting a memory dump on any live machine to capture RAM, the memory
image can be used to determine information about running programs, the operating
system, and the overall state of a computer, as well as to locate deleted or temporary
information that might otherwise not be found on a normal image.
Until recently, RAM analysis and capture was not a mandatory step in investigations,
or even in triage situations where analysts were attempting to gather forensic data on
site.
However, with new tools that allow entry into locked systems and with the growing
importance of temporary files, RAM analysis is quickly becoming a pivotal and
mandatory part of the digital forensics process.
Volatile memory access is useful in law enforcement situations where data would be
lost by powering off a suspect machine.
The longer a machine is off, the more data becomes lost.
The following can be found using RAM capture: Processes, Network connections,
Dumpit :
DumpIt is a fusion of two trusted tools, win32dd and win64dd,combined into one one
executable. DumpIt is designed to be provided to a non-technical user using a removable
USB drive.
The person needs to simply double-click the DumpIt executable and allow the
tool to run. DumpIt will then take the snapshot of the host’s physical memory and save it to
the folder where the DumpIt executable was located.
DumpIt provides a convenient way of obtaining a memory image of a Windows system eve
if the investigator is not physically sitting in front of the target computer. It’s so easy to use,
even a naïve user can do it. It’s not appropriate for all scenarios, but it will definitely make
memory acquisition easier in many situations.
RAM Analysis Tools:
RAM Capture Tools:
Dumpit :
DumpIt is a fusion of two trusted tools, win32dd and win64dd,combined into one one
executable. DumpIt is designed to be provided to a non-technical user using a removable
USB drive.
The person needs to simply double-click the DumpIt executable and allow the
tool to run. DumpIt will then take the snapshot of the host’s physical memory and save it to
the folder where the DumpIt executable was located.
DumpIt provides a convenient way of obtaining a memory image of a Windows system eve
if the investigator is not physically sitting in front of the target computer. It’s so easy to use,
even a naïve user can do it. It’s not appropriate for all scenarios, but it will definitely make
memory acquisition easier in many situations.
Investigating Routers
● Routers play many different roles during incidents. They can be
targets of attack, stepping-stones for attackers, or tools for use by
investigators. They can provide valuable information and evidence
that allow investigators to resolve complex network incidents.
configuration of the router itself, and this configuration is likely not the same
configuration the router uses while it is running,
■ cisco_router#show ip route
categorize as follows:
○ Direct compromise
○ Theft of information
○ Denial of service
Handling Direct-Compromise Incidents
● Direct compromise of the router is any incident where an attacker
gains interactive or privileged access to the router.
● Direct compromise provides the attacker with control of the router and
access to the data stored on the router.
● Administrative access to the router is available in a surprisingly large
number of ways, including telnet, console, SSH, web, Simple Mail
Transfer Protocol (SNMP), modem, and TFTP access
● Other Compromise Possibilities: Anyone with console access to the router can
gain administrative access to the box through a reboot and appropriate procedures
Handling Routing Table Manipulation Incidents
● Routers can use a variety of protocols to update their routing tables, including RIP,
Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol
(EIGRP), Interior Gateway Routing Protocol (IGRP), Border Gateway Protocol
(BGP), and so on.
● These protocols communicate information about the best path between networks to
● If any of the routes do not pass the common sense test, or if packets appear to be
routed through distant networks, then careful investigation is required.
● If unfamiliar static routes appear in the routing table, then the router may have
suffered direct compromise.
● The information that is on the router is related to network topology and access
control.
● Typical information that attackers gain from routers includes password, routing, and
topology information.
● The recovery from this data theft is to change passwords, avoid password reuse, and
● A common problem that we see is the SNMP service enabled with the default
community string (password) of public. With this service enabled, an attacker can
gain a great deal of sensitive network information.
● Internet attackers can even learn the hosts and IP ranges on internal networks
Handling Denial-of-Service (DoS) Attacks
DoS attacks are often directed at routers. If an attacker can force a router
to stopforward - ing packets, then all hosts behind the router are
effectively disabled.
○ A sporadically rebooting router is probably the result of a point-to-point attack—one directed at the
router.
open ports, then an overabundance of SYN or similar packets may adversely impact
the performance of the router.
● Alternatively, even if the router has no open ports, a flood of traffic may impact the
router or use the bandwidth such that network performance is significantly degraded.
Recovering from DoS Attacks
● Usually, DoS attacks do not involve compromise of the router; rather, they are
composed of unwanted packets sent to or through the router. Recovery usually
consists of a combination of the following measures:
○ based on a dazzling array of attributes, including (but not limited to) the following:
○ Protocol
○ TCP flag
○ Time of day
In the bustling city of Cyberhaven, a leading technology company, Quantum
Innovations, has been at the forefront of groundbreaking research and development in
the field of artificial intelligence. Recently, the company discovered that sensitive
intellectual property related to their upcoming flagship project has been leaked to a rival
company, Cybertech Solutions. Quantum Innovations suspects an inside job and
contacts law enforcement to investigate the case.
“a program that replicates by “infecting” other programs, so that they contain a copy of
the virus”
Viral code is attached or “inserted” into the order of execution so that when the legitimate
code is run the viral code is also run or run instead of the legitimate code.
May be “appended” on to the end of an executable file or inserted into unused program
space.
Legitimate code must be modified so that the viral code is branched/vectored to.
Virus
“trash” firmware
Process Hacker
ProcDot
Autoruns
Fiddler
Wireshark
x64dbg
Ghidra
Radare2/Cutter
Cuckoo Sandbox