We offer the art of memory forensics…
Dead-box or storage forensics is not enough when dealing with running systems if you plan to preserve evidence regarding the system’s current state because volatile memory also holds tons of key artifacts needed for forensic investigations. Considering the increasing sophistication of attacks, unauthorized activity, adversaries, and even insider threats that merely leave traces in volatile memory, traditional forensics without extracting the valuable information located in volatile memory can result in missing out the evidence at the scene. To meet these requirements and to be able to fully perform digital forensic investigations, memory forensics has turned out to be a standard component of digital forensic investigations and incident response handling in today’s investigations.
Simply stated, memory forensic is the process of analyzing the volatile data from the system after capturing the current state of the system’s memory as a snapshot file with special software. The captured artifacts together with RAM image are crosschecked to reach the correct evaluation about the incident or the attack. Some of the types of artifacts that can be acquired from the running system and that are crosschecked for solving the case are listed below.
- System inventory
- List of the running process
- Network connections and packet capturing
- List of open ports
- Registry and old registry files
- Event logs
- Currently opened windows
- Installed software
- Uninstalled software
- Prefetch files
- LNK files
- Shell history
- Most Recently Used (MRU) Files
- Browser artifacts
With years of experience, knowledge, and technological capability, DIFOSE experts will be at your disposal in digital forensics and incident response cases regardless of the complexity of the case. Knowing the depths and all aspects of digital evidence from the dead-box forensics to malware infection and volatile artifacts, we are capable of fully understanding the scope of digital forensic investigations.