Module 5 - Volatile Data Flashcards

Question 1

Q

Types of data that may exist in memory that may not be on hard drive (5):

Answer

A

encryption keys
passwords
malware
registry
RAM disk

Question 2

Q

Memory retention

Answer

A

After system is rebooted (not shutdown), data still resides in memory from the first instance until new values are sent to the register.

Question 3

Q

Benefits of Memory Collection

Answer

A

may have data not elsewhere on hard drive

- much data in unprotected,unencrypted format.

Question 4

Q

Memory file on disk (list some)

Answer

A

swap files/page files
hibernation files
.vmem files

Question 5

Q

Memory Capture / Analysis Tools (Name 5)

Answer

A

WindowScope
Volatility
Windows Memory Forensic Toolkit (WMFT)
Forensic Analysis Toolkit (FATKit)
Mandiant's Memoryze

Question 6

Q

Describe Windows Memory Forensic Toolkit (WMFT)

Answer

A

Collection of utilities intended for forensic use.

- Perform forensic analysis of physical memory images acquired from Windows 2000/2003/XP machines.

Question 7

Q

Describe Forensic Analysis Toolkit (FATKit)

Answer

A

Cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory

Question 8

Q

Describe WindowScope

Answer

A

subsidiary of BlueRISC
GUI, student versions
Advanced analysis of running memory and image files
Structure of memory
Program calls

Question 9

Q

Describe Volatility

Answer

A

Volatile systems
Multiple formats/types (Python Scripts, Compiled exe)
Command Line
64 bit versions under development (info dated)
version 2.0 (info dated)

Question 10

Q

Name Some Artifacts retrieved with Volatility (7)

Answer

A

Image Identification: Which version of Windows was running
Lists of Processes and Loaded DLLs
Process Memory
Kernel Memory and Related Objects
Network Information, including open connections and sockets
Registry information, including hash dumps
Malware information

Question 11

Q

Volatility command to obtain connections

Answer

A

volatility.exe -f .vmem connections
python vol.py -f .vmem connections

returns along with Process IDs (Pid)

Question 12

Q

Volatility command to obtain open sockets

Answer

A

volatility.exe -f .vmem –profile=WinXPSP3x86 sockets

python vol.py -f .vmem –profile=WinXPSP3x86 sockets

Question 13

Q

Volatility commands to obtain hash values of user accounts in memory

Answer

A

volatility. exe -f .vmem hivelist

volatility. exe -f .vmem hashdump -y -s

Question 14

Q

Describe Memoryze

Answer

A

Created by Mandiant
Works with:
Windows 2000 Service Pack 4 (32-bit)
Windows XP Service Pack 2 and Service Pack 3 (32-bit)
Windows Vista Service Pack 1 and Service Pack 2 (32-bit)
Windows 2003 Service Pack 2 (32-bit)
Windows 2003 Service Pack 2 (64-bit)
Windows 7 Service Pack 0 (32-bit)
Windows 7 Service Pack 0 (64-bit)
*Windows 2008 Service Pack 1 and Service Pack 2 (32-bit) – beta version
Windows 2008 R2 Service Pack 0 (64-bit)

Module 5 - Volatile Data Flashcards

Analyze a memory file from a virtual machine Identify current tools associated with examining memory, including a description of the strengths and weaknesses Examine the basic operations of volatility (14 cards)