Introduction

In Chapter 1, Live Response: Collecting Volatile Data, we discussed collecting volatile data from a live, running Windows system. From the Order of Volatility listed in RFC 3227, we saw that the first item of volatile data that should be collected during live-response activities is the contents of physical memory, commonly referred to as RAM. Although the specifics of collecting particular parts of volatile memory, such as network connections or running processes, has been known for some time and discussed pretty extensively, the issue of collecting, parsing, and analyzing the entire contents of physical memory is a relatively new endeavor. This field of research has really opened up in the past year or two, beginning in the summer of 2005, at least from a public perspective.

The most important question that needs to be answered at this point is, Why? Why would you want to collect the contents of RAM? How is doing this useful, how is it important, and what would you miss if you didn t? Until now, some investigators have collected the contents of RAM in hope of finding something that they wouldn t find on the hard drive during a post-mortem analysis specifically, passwords. Programs will prompt the user for a password, and if the dialog box has disappeared from view, the most likely place to find that password is in memory. Malware analysts will look to memory in dealing with encrypted or obfuscated malware, because when the malware is launched, it will be decrypted in memory. More...