Extracting digital evidence using memory imaging and bulk extractor
In this quick post we are going to extract juicy info from a raw memory image. This method can be helpful to find digital evidence from suspect computer.
This post is not beginner friendly, so you need to have knowledge of some concept like Memory Imaging. In short Memory imaging is the process of making a bit-by-bit copy of RAM.
Why memory Imaging
As your computer memory stores a lot of information and we know the information which can be recovered from a disk image can also be recoverable from memory which can help investigator to extract a lot of sensitive information like runtime system activity, stored password, command and process which was executed recently.
Why Bulk Extractor
Bulk extractor is really useful open source tool, it ignores the file system structure and can scan disk image, memory image, etc and can also extract email, URL, credit card details, etc. This can help investigator to get a good lead in his investigation and can also help malware analyst to get Indicator of compromise.
In this step we have to do memory imaging that means i am going to capture the RAM in it’s running state.
There are lots of ways to dump memory, but I am going to use Dumpit which you can get from here .
Now to dump the memory (memory imaging) go to the directory where you have stored Dumpit run that program as an administrator.
Above it is showing the location where it is going to save the memory image in .raw format. Now, after pressing yes, it will start capturing the memory and will dump it on the mentioned destination, the time it’s going to take depends on the size of RAM. The higher the memory the more time it is going to take.
Extracting the data
After getting the memory dump it’s time to fetch the data from it. For this I am going to use Bulk Extractor , there are two way to use bulk extractor one is using command line interface and another is using graphical interface.
You can download bulk extractor from here (graphical interface) and for command line interface you can get it from here
Now you should have a RAW image to investigate after memory dump. That looks like the picture below
I am going to use graphical interface of bulk extractor for extracting evidence. Start bulk extractor select go to tool and select run bulk extractor.
Now select your RAW image file. And make sure to select what plugin you want to run with bulk extractor on the right side. With default option you can also select Facebook option to check what Facebook activity the user did on his browser.
Now select your memory image and output directory and choose submit run
Bulk extractor has started parsing the image and depend on the memory size it will take some time to complete the scan.
Once scanning is completed you should see files extracted by bulk extractor in your output directory.
start bulk extractor and select the xml file which should be inside you output folder and the memory image file
In the below screenshot I have selected domain from the option and we can see website thehiddenwiki.org which was opened by the user and on the image side we can see the exact URL which was opened at that time.
There are other twitter URL which we can see in the image side of bulk extractor ( you can click to enlarge image)
You can also extract phone number and can see where it was entered on the memory image side.
There are lot’s of other information and data which can be extracted using bulk extractor. I have used memory image but you can use disk image, virtual machine image for data carving or recover.
Some points to remember
During disk imaging or capturing live memory make sure you have a write block enabled. Do not install any tool on the victim machine, use external drive to capture memory or disk image.
For creating disk image you will need an external storage which should be of exact same size as the victim machine hard disk.
To capture memory from external drive you can use Belkasoft Ram Capture