DEF CON 26 DATA DUPLICATION VILLAGE - Lior Kolnik - The Memory Remains Cold Drive Memory Forensics
Full disk images introduce large amounts of data into a forensic investigation. Still, certain evidence exists only in memory, especially when dealing with malware or fileless attacks designed to stay completely in memory and avoid hitting the disk, exactly for the purposes of avoiding detection and analysis by forensic examiners. Memory forensics is a rapidly growing field, offering many free tools for RAM analysis to uncover important evidence and further the case quickly. As it turns out, these tools can also be applied to a cold drive. Due to OS features such as hibernation, paging and swap space, data from memory ends up being written to disk and survives even when the machine is powered down. In this session, the presenter will introduce the challenges faced when investigations rely solely on disk images, in cases where live memory had not been captured. The audience will then learn how investigators can still benefit from memory forensics in such cases. The presenter will give a full walkthrough of applying techniques, discuss their benefits and limitations, and show examples of results.