Physical Memory Analysis
You could say in the last few years there has been a boom in physmem(physical memory) analysis. There’s many tools out there to help aid in the analysis process but if you are fresh into forensics like us the question is, “Where do I start?” There’s plenty of good write ups about the tools themselves but, if you are not already familiar with what or how to look for information, it becomes fairly daunting to jump right in. This will be the first part of a series of posts regarding tools and what they can be used for.
What’s in PhysMem
The PhysMem contains an enormous amount of useful information. Process Lists, potential malware, images and even IP communication can be hiding deep inside your memory without you even knowing it. With this kind of information, it becomes extremely important to obtain an image of your memory before it’s too late(pre reboot)! Remember, physical memory is volatile and should be treated as one of your number one priorities during an investigation/incident. Throughout these write ups, I’ll be able to show some examples of what and how you can find information stored in memory.
Foremost is great at dumping all of the potential files out of memory. This is a Linux based CLI tool and it’s fairly straight forward in how to use it. First, let’s take a look at the help (foremost -h).
You have your standard -i input and -o output switches. -v will display all of the list of files being identified by foremost. The last notable switch is -t. If you know exactly what you are looking for such as questionable images or a malicious executable you can use -t to define what you want foremost to pull.
Basic execution is below.
We are running foremost against an image that you can download off their website from the link earlier in the post. This will execute foremost and drop all of the different files sorted in folders based on file type. An example of the output is below.
The “audit.txt” file that gets generated is the entire list of what has been exported. At the bottom of the file, you will get a summary of how many files of what types were extracted.
This was your basic, quick how to for foremost. If you have something you’d like us to add or clarify, please comment to this post. The next part of this series will deal with Bulk Extractor.