When companies fall victim to a cyberattack, the first thing they do is eliminate the threat. But for cybersecurity investigators, that’s just the first part of their job. Like real-world investigators, cybersecurity experts need to gather and analyze evidence of the attack to improve cybersecurity policies or to present it in court during a hearing. Cyber investigators do their evidence gathering through memory forensics.
What Is Memory Forensics?
Memory forensics is the process of collecting memory dumps and analyzing them for evidence of how a cybercrime happened or to find the origins of a malware breach. This is usually done after a cyberattack, but cybersecurity specialists can also do this as a routine check-up for malicious injections that could be running in the system.
Memory forensics is a way to backtrack events that led to a successful security breach and to help specialists know how to improve their company’s cybersecurity.
What Is Memory Forensics? — How Is Memory Forensics Done?
Memory forensics, also known as memory analysis, can be broken down into three parts: retrieval, analysis, and documentation.
The first part of memory forensics is the retrieval phase. Because all activities done and actions taken in a computer are recorded in the system’s memory, cyber investigators need to retrieve the system memory to see when and where the cyberattack began. It’s like retrieving an airplane’s black box after a crash.
To retrieve the system’s memory, cyber investigators perform a memory dump. This is a procedure where data in a system’s RAM is read and transferred to a storage device. Retrieving RAM data is important, since this is “volatile” data, meaning that it is only retained when the system is on and disappears once the system is turned off.
If there is no cyberattack or breach, memory dumps can help IT specialists understand a crash event and how it happened. There are many kinds of memory dump tools available in the market.
The second phase is memory analysis. This is the part where cyber investigators look through the system’s memory dump for signs of malicious activities. Investigators take memory analysis seriously, and they will search for hidden folders and retrieve deleted or encrypted files.
Memory analysis can take days or months to complete. Retrieved memory dumps are examined using different analyzing tools and software.
The last phase of memory forensics is the documentation phase. All pieces of evidence and significant activities discovered during memory analysis are recorded. Once the collected memory dumps are thoroughly analyzed, investigators take note of every detail of the event and carefully create a report.
This report is then validated by running tests on the system and checking for inconsistencies. After validation, the report is ready for presentation in court and other legal proceedings or to company management to help improve cybersecurity.
No matter how strong a company’s cybersecurity is, they can still be victims of a cyberattack. And when that happens, it’s crucial to know when and how the cyberattack happened so vulnerabilities can be addressed and cybercriminals can be tracked down.
If you’re worried about your cybersecurity, now is a good time to do your own memory forensics to see if you have been compromised.
What You Need to Know About Cloud Forensics
Top 10 Computer Forensics Tools For Analyzing A Breach