Imaging RAM using Magnet RAM Capture
To prepare to respond to future incidents, it is best that you create a sanitized USB containing common DFIR tools—especially for live response collection. Be mindful, that although it is nice to have a USB stick with all this software and functionality, it can be a hassle to keep all that software updated. A good rule of thumb is this: update your USB stick every 6–12 months.
USB Device to Live Acquisition (RAM)
I will be using the USB device above. Make sure the size is relatively huge as you may need to collect data from more than one machine. Tradition RAM sizes on modern computers are 8GB. So, an 8GB USB device should suffice. If you can’t afford a higher one, go for it. Lastly, make sure the USB device is formatted as either exFat or NTFS for large file size support. Let’s prepare the USB with a few common tools:
Live Acquisition DFIR Tools on USB
Disclaimer: Before we start, make sure the size of your USB is greater than the system RAM since you will be creating an output of that file size.
Step 1) Plug the USB device into the target machine
I moved over to a Windows 10 Pro computer and plugged in the USB device. Windows might attempt to block the execution depending on the security settings, if so proceed anyway.
Plugging the USB Device into the suspect machine
Step 2) Launch Magnet RAM Capture
Open the drive folder and launch Magnet RAM Capture. This is a free imaging tool designed to capture the physical memory of a suspect computer. This will allow practitioners to recover and analyze valuable artifacts that are often only found in memory.
After you accept the Magnet Forensics User Agreement, select the location to place the memory image. Ideally, it would be written back to your USB drive and NOT the suspect computer—further tampering with the evidence. Let’s talk about potential issues you might face:
Depending on the file system present on your removable drive, you might get the following warning seen in the GIF below. Older FAT file systems can’t support files larger than 4GB. As mentioned above, your USB should be formatted as either exFAT or NFTS to support larger file sizes. To bypass this, you can select the “Split” Segment Size option provided by the tool. Now, click “Start” when you are ready.
Disclaimer: The memory capture could take 5-20 minutes.
The final result will be a .raw file located in your chosen output folder. This file contains a complete copy of the contents of the system RAM when the memory acquisition tool was executed. Make sure to safely eject the USB and remove the USB device when you are done. From here, you can inspect the contents of the RAM using tools like Volatility and others.
Checking for Encryption using Encrypted Disk Detection
Ok, you have successfully imaged the RAM. What is next? The next step, before considering powering off the system, would be to check for signs of encryption. If a file or disk encryption is active, your best chance for collection evidence is a live logical image. To check for the presence of encryption of encryption, we will use Magnet Forensics’ Encrypted Disk Detector (EDD). This is a command-line tool that can quickly and non-intrusively check for encrypted volumes on a computer system during incident response. But, this tool does not come without its weaknesses.
EDD relies on signature-based detection and hence can only recognize a finite number of encryption products. Here are some examples below:
- TrueCrypt
- PGP
- VeraCrypt
- Check Point related processes
- SafeBoot
- Bitlocker
Step 1) Magnet Encrypted Disk Encryption
Plug your USB back into the machine (assuming you ejected it), and run EDD. The tool will report its analysis in the command window. In this example, you can see no signs of encryption products. Although, EDD provides a nice report of the connected drives and mounted partitions on the system.
After your review, you can press any key to close the EDD output report.
Incident Response Case Study: Dr. Lovelace
The scenario we are about to embark on will be completely fictitious, but it will provide us with a good experience when it comes to live acquisition, especially with Kape. Let me debrief you on are current findings with the scenario below:
Looking at the Timeline of Events, we have reasons to believe it was done by a well-informed adversary, possibly with insider knowledge. In my past article Time Travel With Timeline Explorer: Exposing Insider Threats, I talk about the dangers of insider threats, discussing some tooling tips around Timeline Explorer and MFTECmd—both created by Eric Zimmerman. I consider that article a prerequisite to this, as I don’t want to overlap in content. With all that said, let’s continue with the scenario.
IR Team: Initial Point of Contact
The Incident Response (IR) Team managed to find Ava’s computer unlocked at her home after she received multiple email notifications of her Microsoft email password being changed an hour ago. The Team decided to *equip a D: Drive containing Kape to the computer to pull key artifacts.
*This is an EC2 instance, but the techniques should work the same
Now, users like Ava are not allowed to have admin rights—due to the increased risks that come with it. We should have a Privileged Access Management (PAM) solution in place to exert control over the privileged access and permissions for users, accounts, and systems. We don’t have an EDR tool in place to collect forensic information, so we are going the old-fashioned way—manual collection onsite. Let’s grant Ava’s account permission to run Kape, as her account lacks rights.
There are two ways we can export the data—quick and slow. Let me show you the first: I am going to execute the following command: .\\kape.exe --tsource C: --tdest "D:\\Kape Collect" --tflush --target !SANS_Triage --msource "D:\\Kape Collect" --mdest "D:\\Kape Parse" --mflush --module !EZParser --gui
As you can see, my target source is in the C:\\ Drive, Target destination: D:\\Kape Collect, Module source: D:\\Kape Collect, and Module destination: D:\\Kape Parse. The Flush box tells Kape to wipe the destination folder, just in case you have content in there from a previous investigation. I checked the !SANS_Triage target, as it is composed of other targets that contain relevant evidence on a Windows system. Here is the complete list of targets if you are curious.
After that is completed, we should get a collection of parsed artifacts, which we can then utilize Timeline Explorer to examine
Now, my favorite is to export the target source as a VHDX file. This will allow you to compress the file size of the triaged artifacts and mount it on Arsenal Image Mounter. This one does take some time, so given the current situation, you may want to weigh your priorities.
In the next section, we are going to mount it!
Mounting The Triaged Image
We switched to a separate computer to perform the investigation. After downloading Arsenal Image Mounter, we are going to open it and click ‘Ok,’ as we can still perform basic functions in Free Mode. You should be presented with this screen:
Open the newly created VHDX file.
Select Disk device, write temporary.
Select ‘No’ if you get the Write overlay differing file already exist warning. Now you will probably get another warning labeled Disk read-only. Seeing that this is a copy of the victim’s Ava’s data, we will make it writable, because it will not be present in the drive selection under This PC. Lastly, you will get the final warning: Disk offline. Make it online please (internet is not required for this section). Now you should have the image with its assigned drive letter—in my case D:\\.
The drive should be present under This PC, so found here, you can utilize other forensic tools to examine the triage contents we collected using Kape.
Before we conclude, I would hash the forensic image to ensure the integrity of evidence—especially after making the disk writable. If this was a real-world scenario, it would be quite hard to prove the authenticity of digital evidence. My hash is 91EF8C22AA684E05B58E662E994ED23C3734CE46AE8C4CFB7C30E5827A5C7DED
This is just the beginning of our investigation. If you would like to explore this same drive using tools like Registry Explorer and Timeline Explorer, we have a lab titled BTLO - Aspen in our FrostByte 2024 event this month. Sign up for Blue Team Labs Online (BTLO) and learn the motives behind this attack!
Summary
To conclude, practitioners have only one opportunity to capture RAM during an incident. Using tools like Magnet RAM Capture can make this task easy—especially on a ready-made USB device. After capturing RAM, your next step should be to check for signs of encryption. Using EDD can quickly identify several types of encryptions. However, it will not be able to check every possible form of encryption available. From here, you should utilize Kape for quick triage collection and analysis. The knowledge from this lesson should correctly guide your decision in live acquisition—to collect artifacts, image the system live, or remove power from the system.
About SBT
Security Blue Team is a leading online defensive cybersecurity training provider with over 100,000 students worldwide, and training security teams across governments, military units, law enforcement agencies, managed security providers, and many more industries.
