2. # Whoami?
• Cyber Security Consultant at Mitra Integrasi
Informatika (MII)
• Researcher at dracOs Dev Team
• Coordinator of Reversing.ID
http://xathrya.id/ 2
3. Organization
• Divided to some sections related to forensic
stages.
• Each section has objectives
• Has background explanation if necessary
http://xathrya.id/ 3
4. Overview
• Engage in practical forensic activity
• Acquisition
– Windows Memory Acquisition
• Analysis
– Process & DLLs
– Registry
– Connections
http://xathrya.id/ 4
8. Profile?
• Each operating system has different internal
structure
• Event for minor version different
• Volatility needs to know what type of system our
memory dump came from, so it knows which data
structures, algorithms, and symbols to use.
• List all profiles
$ vol.py --info
http://xathrya.id/ 8
9. Command Line
• Typical command
$ vol.py –f memdump.img --profile profile plugins
• Every command / task is implemented as plugin
http://xathrya.id/ 9
11. 0x1 Acquisition
Objectives:
• Understanding the memory (RAM) and
volatile data.
• Understanding the acquisition technique for
memory forensic.
• Know how to dump memory on Windows
http://xathrya.id/ 11
12. • Acquisition can be hardware based or
software based.
• Hardware based, require special hardware and
has capability of DMA.
– Firewire (IEEE 1394)
• But we are talking about software based.
http://xathrya.id/ 12
16. Using Winpmem
Producing dump in AFF4 compression
> winpmem.exe -o imagedump.aff4
Export to raw from AFF4
> winpmem.exe imagedump.aff4 –export
PhysicalMemory -o memory.img
Producing raw dump
> winpmem.exe imagedump.aff4 –export
PhysicalMemory -o memory.img
http://xathrya.id/ 16
17. Vmware Memory Dump
• Applied to OS running on top of Vmware
• To generate memory dump, we should
suspend the running VM
– It will generate a .vmem file
http://xathrya.id/ 17
18. VirtualBox Memory Dump
• Applied to OS running on top of VirtualBox
• Start VM and use Vboxmanage
$ vboxmanage debugvm “GuestVM” dumpguestcore
--filename dump.elf
http://xathrya.id/ 18