RAM Analysis

Acquisition Phase:
Acquisition was done via FTK Imager. The steps are highlighted as follows:

The memory capture process is started by clicking on the capture memory option in the file tab.
It will then open the following pop up:

Select the path where you need the captured memory or memory dump to be stored in. Creation
of an AD1 file and page file is optional and may be done according to the requirements. After
starting the process by clicking Capture Memory the process of Acquisition will start.
 RAM Analysis

Depending upon the size of RAM it may as well take anywhere from 5 minutes to 30 minutes
increasing proportionally with the size of RAM.
Now that the Acquisition process has finished, we will begin the analysis of the dumped memory
via Belkasoft Evidence Center X. We will create a new project in our chosen directory.

After the creation of the case, we will begin adding a data source (memory dump) to our case.
This can be done by clicking on Add a data source within the menu and after pointing it to our
memory dumps path, it will begin analyzing and adding the data source as potential evidence.
 RAM Analysis
Analysis is a three-fold process in Belkasoft. It will initialize the data source first followed by the
analysis of suspicious process names and finally carve data out of our memory dump. Depending
on the size of the RAM/Dump as well as the type of things we’ve selected while adding it the
process of analysis may take a while to complete ranging from 2 hours to even 4-5 hours.
After the source is added, it will begin showing a variety of data that was carved from the dump
and will generally look like this:

We can follow up with the option to create report which will export the whole extracted data
onto a filetype of your choice (in this case a pdf was chosen) where we will further analyze the
artifacts.
The report includes a variety of things such as images present inside the dump.
 RAM Analysis

These images are either part of the browsers data or other application that at some point made
their way into it. It was observed that a huge portion of these images were in fact cached images
as a part of the browser’s history from the social network platform of Facebook.
Further Analysis reveals a comprehensive list of browser artifacts not limited to URLs accessed.

Most of theses URLs were obtained directly from the browsers history while some were
certificate exchanges.
 RAM Analysis
It also managed to carve out data that included mailing agents and a few chats from skype.
 Data Recovery Issues
Data Recovery is an important part of forensics, however primitive technology like hard disk
drives (HDD) as well as modern technology like Solid State Drives (SSD) have their fair share of
issues when it comes to data recovery. We will now focus briefly on what kinds of issues we
face on the following three drive types:
• Hard Disk Drive (HDD)
• SATA-III Solid State Drive (SSD)
• NVMe Solid State Drive (NVMe SSD)

Hard Disk Drives (HDD):

The major draw back of an HDD is the fact that it is one of the only few parts of the
computer that is partly mechanical and all parts mechanical will be subject to wear and tear over
prolonged use making an older hard drive slightly harder to recover. Not only that bumps and
falls may render the drive unusable making recovery impossible. Loss of power quickly or
unable to turn the computer off properly may cause permanent damage to the hard disk drive
causing more problems for data recovery.

SATA-III Solid State Drive (SSD):

SSDs are faster than HDDs however the problems they face in terms of data recovery are
completely different. If the firmware on the SSD gets damaged or is inefficient to begin with it
will reduce the life span of the SSD itself considering no fix is applied to it. In extreme cases it
may fall back onto a read only mode or to prevent the system from attempting to access bad data.
SSDs are mechanical and as such make no noise while being used and due to this fact it is hard
to ensure whether an SSD is failing or not, it may work fine one day and die out quietly the next.
In addition, using the TRIM command to better optimize the SSDs life cycle may actually inhibit
the recovery of data at all as using the command actually overwrites deleted data so that it is lost
forever. In addition, data storage is done uniquely on SSDs and may make it very hard to
determine where the data is actually located making it harder to recover.

NVMe Solid State Drive (NVMe SSD):

NVMe are the faster versions of SATA-III SSDs. Being an SSD as well it inherits all of
the problems faced by its SATA-III counterpart. In addition, NVMe SSDs can run unbelievably
hot even under normal work conditions let alone high-level calculations as such its life my be
drastically reduced under heavy workload and may render it impossible to recover. NVMe also
only requires a short percentage of bad blocks to make the device completely inaccessible
making it hard if not impossible to recover.