Memory analysis is an essential part of digital forensic investigations. A memory image acquired while the target computer is running can contain important data, such as passwords and encryption keys that allow computer forensics to access encrypted hard drives, files, emails, and other electronic evidence.
This data gets lost when the system is shut down or restarted. To preserve this vital information in the memory image, use forensically sound memory acquisition practices. The best option, if you have administrative privileges, is to run a memory imager tool. If this is not an option, use a warm-boot method. The warm boot implies special software loads during the boot process, and the software captures the RAM contents. It is also essential to minimize the acquisition’s digital footprints, so the software should be run from an external USB drive and take up minimal memory space.
With the introduction of UEFI, the successor of traditional BIOS, previous bootable memory acquisition tools stopped working. The Secure Boot capability in Windows requires all the applications to be signed and verified before being run in the boot process.
Passware introduces a memory imager that works with Secure Boot-enabled systems. Passware imager runs from a bootable USB drive and acquires memory images of Windows, Linux, and Mac computers.
The overall steps of the volatile memory acquisition process with the Passware Bootable Memory Imager are:
- Create a bootable USB with the Passware Bootable Memory Imager;
- Perform warm-boot and acquire a memory image;
- Analyze the acquired memory image for encryption keys and other artifacts.
Here is how it works:
The detailed guideline on using the Passware Bootable Memory Imager is listed on the Passware Knowledge Base by computer type.
Usually, there is only one chance to correctly perform the warm boot and acquire the volatile memory image. Suppose something goes wrong during the boot process? Problems can start with password-protected BIOS or a failure to boot from the USB drive and end with an incorrect key combination to force the warm boot. In that case, the system restarts and overwrites most of the memory, thus erasing all the critical data.
Following the steps above correctly, digital forensic specialists can access the crucial data stored in computer memory — information that is not accessible in any other way.
We would love to hear how easy it was to capture a memory image using the Passware Bootable Memory Imager and how the “Memory Analysis” option worked for you. Please share your feedback and suggestions with us!