Professional Documents
Culture Documents
Assignment2 ADForensics I202001
Assignment2 ADForensics I202001
Acquisition Phase:
Acquisition was done via FTK Imager. The steps are highlighted as follows:
The memory capture process is started by clicking on the capture memory option in the file tab.
It will then open the following pop up:
Select the path where you need the captured memory or memory dump to be stored in. Creation
of an AD1 file and page file is optional and may be done according to the requirements. After
starting the process by clicking Capture Memory the process of Acquisition will start.
RAM Analysis
Depending upon the size of RAM it may as well take anywhere from 5 minutes to 30 minutes
increasing proportionally with the size of RAM.
Now that the Acquisition process has finished, we will begin the analysis of the dumped memory
via Belkasoft Evidence Center X. We will create a new project in our chosen directory.
After the creation of the case, we will begin adding a data source (memory dump) to our case.
This can be done by clicking on Add a data source within the menu and after pointing it to our
memory dumps path, it will begin analyzing and adding the data source as potential evidence.
RAM Analysis
Analysis is a three-fold process in Belkasoft. It will initialize the data source first followed by the
analysis of suspicious process names and finally carve data out of our memory dump. Depending
on the size of the RAM/Dump as well as the type of things we’ve selected while adding it the
process of analysis may take a while to complete ranging from 2 hours to even 4-5 hours.
After the source is added, it will begin showing a variety of data that was carved from the dump
and will generally look like this:
We can follow up with the option to create report which will export the whole extracted data
onto a filetype of your choice (in this case a pdf was chosen) where we will further analyze the
artifacts.
The report includes a variety of things such as images present inside the dump.
RAM Analysis
These images are either part of the browsers data or other application that at some point made
their way into it. It was observed that a huge portion of these images were in fact cached images
as a part of the browser’s history from the social network platform of Facebook.
Further Analysis reveals a comprehensive list of browser artifacts not limited to URLs accessed.
Most of theses URLs were obtained directly from the browsers history while some were
certificate exchanges.
RAM Analysis
It also managed to carve out data that included mailing agents and a few chats from skype.
Data Recovery Issues
Data Recovery is an important part of forensics, however primitive technology like hard disk
drives (HDD) as well as modern technology like Solid State Drives (SSD) have their fair share of
issues when it comes to data recovery. We will now focus briefly on what kinds of issues we
face on the following three drive types:
• Hard Disk Drive (HDD)
• SATA-III Solid State Drive (SSD)
• NVMe Solid State Drive (NVMe SSD)