Hey there!! It’s me back again with the new blog. Today in this blog, I’m going to share with you some interesting stuff. Today, I will write a write-up about OS and Memory Forensics (Live and Dead Acquisition).
If you’re ready, let’s get started with our task.
The Commence:
Overview:
OS: An operating system (OS) is a program that, after being initially loaded into the computer by a boot program, manages all of the other application programs in a computer. An operating system brings powerful benefits to computer software and software development. With an operating system, every application would be able to include its UI and the comprehensive code needed to handle; low-level functionality of the underlying computer, such as disk storage, network interface, and so on. An operating system provides three essential capabilities: It offers a UI through a CLI or GUI; it launches and manages the application execution; and it identifies and exposes system hardware resources to those applications — typically, throughout a standardized API.
Although the fundamental roles of an operating system are ubiquitous, there are countless operating system that serves a wide range of hardware and user needs
General-purpose operating system
The common desktop operating system includes the following:
1. Windows
2. Mac OS
3. Linux
Mobile Operating system
1. Google Android
2. Apple iOS
Embedded operating system
1. Linux
2. Symbian (cell phone)
Network operating system
1. Microsoft Windows Server
2. Novell NetWare
Real-time operating system
1.FreeRTOS
2. VxWorks
Memory Forensic:
Memory forensics (also known as memory analysis) is the study of volatile data found in a computer’s memory dump. Memory forensics is used by information security specialists to examine and identify assaults or harmful actions that leave no identifiable trails on hard disk data.
Memory forensics can provide unique insight into runtime system activity, including open network connections and recently executed commands or processes. Network connections, account credentials, chat messages, encryption keys, running processes, inserted code fragments, and non-cacheable internet history are just a few examples of essential data relevant to attacks or threats that live solely in system memory.
Malware written directly in your system’s RAM is tough to detect with traditional network and endpoint protection tools. Traditional security systems examine networks, email, CD/DVD, USB drives, and keyboards as input sources, but they cannot analyze volatile data stored in memory. These technologies are realistic solutions for safeguarding ROM, BIOS, network storage, and external hard drives against infection.
Memory Forensic provides complete details of executed commands or processes, insights into runtime system activity, information about open network connections, and lots more. Let’s have a look at some best Memory Forensic tools available out there.
1. Volatility
2. Backlight
3. FTK imager
4. Autopsy
5. ExifTool
Windows Registry Forensic
Overview
Registry:
The registry or Windows registry is a database of information, settings, options, and other values for software and hardware installed on all versions of Microsoft Windows operating systems. When a program is installed, a new subkey is created in the registry. This subkey contains settings specific to that program, such as its location, version, and primary executable.
Registry Editor isn’t a program you download. Instead, it can be accessed by executing regedit from the Command prompt or the search or Run box from the start menu.
When Windows was first introduced (e.g., Windows3.11), it mainly relied on.ini files to store the configuration and settings for Windows and Windows apps. Although.ini files are still occasionally utilized; most Windows programs rely on registry settings made after installation.
The Windows Registry Editor can be used to inspect and make changes to the Windows Registry. You can use the Registry Editor to inspect all of the registry’s keys and values, as well as later any Windows, application, or driver values that you think are essential.
During the inspection of the Registry hives and keys, you can find a wealth of really important information. Windows Registry forensic examination can be used to obtain information on recently visited web pages and opened documents as well as linked USB devices and a variety of other artifacts. (Hope 2019)
There are five root directories in the Windows Registry (also known as hives): When you initially start the registry editor, the first folders in the registry display on the left side, and all additional keys are minimized.
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
Windows Registry — Overall System Hives
Path: % WinDir%\System32\Config
The registry can be accessed both off a live system. You’ll need to know where the registry files are stored if you’re working offline. The majority of the files are located in the system32config directory in percent WINDR percent WINDR. DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM are the registry hives. The files are named after their definitions in the book registry. All of these system files would be found in the HKEY_LOCAL_MACHINE hive’s SAM, SECURITY, SOFTWARE, and SYSTEM, sub-meanings. The system setup, startup files, machine configuration, and other default files are all stored in HKEY_LOCAL_MACHINE.
The HKEY_LOCAL_MACHINESYSTEM, comprising hardware and service configuration, is stored in the SYSTEM hive. It will also show you the majority of the raw device names for the system’s volumes and drives, including USB keys.
All local user accounts and groups are kept in the SAM hive. HKEY_LOCAL_MACHINESAM is where you will find it on your computer.
Amcache.hve
Path: % WinDir\appcompat\Programs
The new AMCACHE.HVE file first appeared in Windows 8, although it has now been updated to include Windows 7. This hive is used for the Windows internal application compatibility feature, which allows it to run older executables from previous versions of the operating system. This hive file is used to keep track of execution evidence.
Backup Hives
Path: WinDir%\System32\Config\RegBack
Created every 10 days, the RegldleBackup scheduled task will run. It will copy the SAM, DEFAULT, SYSTEM, SOFTWARE, and SECURITY hives into the %WinDir%\Syrem32\Config\RegBack directory. This will occur only on Vista, Win 7, Win8, Server2008, Server2012, and Server 2016machines. Although not immediately useful, this might be an interesting location to look for residual that might have been cleared in the current hives.
It’s also worth nothing that it doesn’t back up the user’s local NTUSER.dat hives.
User Registry Hives
%UserProfile%
NTUSER.DAT
path: C: \Users\<username>\NTUSER.dat
Each user of the system will have their sector. The registry can be used to keep track of the files that have been used recently. It can also display the most recent files he looked for on the hard drive. It can also display the URLs he typed into his browser windows recently.
The NTUSER.dat hive stores all of the user’s keys. HKEY_CURRENT_USER is here you’ll find it on your PC.
USRCLASS.DAT
Path: C: \Users\\AppData\Local\Microsoft\Windows\USRCLASS.DAT
There is an additional hive on Windows 7–10 systems that were created located at C:\Users\User\AppDat \Local\Microsoft\Windows\UsrClass.dat. This hive is very important because it contains some key information regarding additional program execution information and will give us the ability to tell which folders a user has opened or closed.
The UsrClass.dat’s main purpose is to aid in the virtualized registry root for User Account Control (UAC). A key exists for every registered filename extension. The UAC virtualized registry is found in the VirtualStore key
Windows Registry contains five root folders
Registry root Keys (hive name)
The Windows Registry Editor root keys contain all registry values when you first start it. A summary of each of the most frequent root keys, as well as the values stored in each, is provided below.
Data carving using Bulk Extractor (make a replica of a hard disk drive (.dd file) and carve the drive)
Overview
File Carving:
A forensic approach for reassembling files in unallocated space is known as data carving or file carving. Data carving allows you to find and recover files and other objects by looking at the contents of a disk rather than the metadata and file structure. Data carving interacts with two types of unallocated drive spaces: Unused disk space and reused disk space.
While both of these types of spaces are seen as free space by the system, partitions of the second type may still contain some file data despite the lack of metadata that can be utilized to locate files. Data carving is the only approach to effectively retrieve data in this circumstance. For file recovery, there are a variety of data carving tools available, including TestDisk, Encase, FTK, Foremost, Scalpel Etcetera.
File carving tools look for file headers — the initial few bytes of a file — when trying to retrieve data. They can look for In addition to headers, they can look for file sizes calculated from headers maximum or preset file sizes (for specific file formats) and footers of files (the last few bytes of a file). The most common data carving challenges are related to a lack of information on the size of the file that needs to be recovered.
A carving tool must first define where it begins within the studied space before retrieving a file. This is a simple process: the carving algorithm goes over the code sector by sector, seeking file type markers. It then determines whether a given fragment resembles the start of a file of a known format. The carving tool, on the other hand, has to know the exact size of the file to extract it appropriately. It must also be able to parse the file header and determine the original file size for each file format.
FTK imager:
FTK imager is open-source software by Access Data that is used for creating accurate copies of the original evidence without actually making any changes to it. The Image of the original evidence remains the same and allows us to copy data at a much faster rate, which can be preserved and analyzed further.
The FTK imager also provides you with the inbuilt integrity checking function which generates a hash report which helps in matching the hash of the evidence before and after creating the image of the original Evidence.
In this above figure, I have created the image named “Rohit.004” using the FTK imager tool in Windows for data Carving using the Bulk extractor tool in Kali Linux to recover the deleted or damaged files.
To recover files that have been lost or destroyed as a result of missing or corrupt directory entries. The extent files to which such files can be fully recovered is determined by the severity of the directory entry corruption. In some circumstances, missing files only be restored in pieces
Bulk Extractor:
Bulk extractor is a tool that extracts information from digital evidence files such as email addresses, credit card numbers, URLs, and other forms of data. It’s an effective forensic investigation tool for a variety of activities, including malware and intrusion investigations, identity and cyber investigations, picture analysis, and password cracking.
Bulk extractor extracts relevant information from disk images, files, or a directory of files without analyzing the file system or file system structures. One or more scanners process the input, which is divided into pages. The results are saved in feature files that can be reviewed, parsed, and processed using various automated tools.
Data Carving Using Bulk Extractor
In the above Screenshot, I have performed Data Carving with the image name “Rohit.004” using the Bulk Extractor tool in Kali Linux. It extracts information from digital evidence files such as email addresses, credit card numbers, URLs, and other forms of data. After Extracting the File, I found MD5 of the disk image and email features.
Information’s extracted during Data carving using the Bulk Extractor tool
In the above figure, I have found different information from digital evidence such as email addresses, URLs, Telephone histograms, domain histograms, and other forms of data after extracting from the file named “Rohit.004” using Bulk Extractor in Kali Linux.
Foremost:
Foremost is a forensic program to recover lost files based on their headers, footers, and internal data structures. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc., or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.
Sample of .dd image
In the above figure, I have downloaded a sample of .dd image named “Graphic.dd” for analysis with the help of the foremost tool in Kali Linux to recover lost files based on their headers, footers, and internal data structures.
Data Carving using Foremost
Recovered Files
In the above figure, I have analyzed the sample named “Graphic.dd” with the help of the foremost tool. Therefore, after extracting the given sample, I have a folder in Desktop in which I found two different files i.e. JPG and PNG files, and also found an “audit.txt” file where the information gets stored after the extraction of the sample.
RAM Dump Analysis Using Volatility (Examine the sample binary file to show different artefacts like OS, network status, command line history, users, etc.)
Memory Dump analysis:
A memory dump is the process of dumping all of the information in RAM to a storage disk.
Memory dumps are widely used by developers to capture diagnostic information during a crash to aid in troubleshooting and learning more about the incident. The information obtained from the memory dump can be used to assist programmers in the correction of problems in operating systems and other programs.
In Microsoft operating systems, memory dumps are encountered in the blue screen of death errors. While the percentage of memory written to storage increases, the faults display some basic suggestions, information, and a faulting module. (Contributor 2016)
Volatility:
Volatility is an open-source memory forensics framework for malware analysis and incident response.
Volatility is the most popular memory forensics platform in the world. One of the largest and most active communities in the forensics field is behind the project. Volatility also offers a one-of-a-kind platform that allows cutting-edge research to be quickly transferred to digital investigators. As a result, Volatility has been used in some of the most important investigations in the last ten years.
In the above figure, the folder named “volatility_2.6_win64_standalone” contains a sample of a memory dump named “memorydump.bin”. With the help of this sample, I have examined the sample binary file to show different artifacts like OS, Network Status, command line history, users et
Examine of the sample binary file to show different artefacts like
OS:
An operating system (OS) is a software program that connects a computer user to its hardware. An operating system is a piece of software that manages files, manages memory, manages processes, handles input and output, and controls peripheral devices like disk drives and printers, among other things.
The Linux Operating System and the Windows Operating System are the two of the most widely used operating systems.
Network Status:
A status network depicts the whole document processing cycle, from the beginning to the completion of a phase, for example, from document generation to release. As a result, network status can have a major impact on device performance. Overburdened Wi-Fi channels, faulty network hardware, and inefficient network infrastructure are all common challenges for smart devices.
Users:
A user is the name given to an account that can log into a computer or service. People who visit the Computer Hope forums, for example, are termed users or members. User accounts are used by any computer, service, or program with multiple accounts to offer each user their permissions, settings, and other data that is not accessible to other users.
Command line history:
CMD is an acronym for Command. Command prompt, or CMD, is the command-line interpreter of Windows operating systems. It is similar to Command.com used in DOS and Windows 9x systems called “MS-DOS Prompt”.
The command prompt is a built-in feature of the Windows operating system that allows users to run commands to execute tasks. To interact with the user, the command prompt uses the command-line interface.
In the above figure, I have examined the sample binary file to show different artefacts like OS, Network Status, Command line history, and Users with the help of the sample name “memedump.bin” in the Command line Interface.
OS event and log management (use tools like OS Forensic, Event log explorer, Log parser, Helix etc) to show the different logs of the Windows operating system
Overview
OS event:
An OS event is used to synchronize OS tasks. Extended tasks can suspend their execution without terminating by waiting for OS events. Each task continues when a specific OS event is set. Basic tasks cannot use OS events.
The system’s Event logs serve as the primary source of evidence in a forensic inquiry because the operating system logs all system operations. An investigator can use Windows/Linux Event Log analysis to create a timeline based on the logging data and observed artefacts.
The data that must be logged is determined by the audit features that are enabled, which implies that event logs can be disabled with administrative access. The Event logs catch a lot of data from a forensic standpoint.
Log Management: Log management refers to the set of procedures and rules that govern and facilitate the generation, transmission, analysis, storage, archiving, and eventual disposal of significant amounts of log data generated by an information system.
A log, in a computing context, is the automatically produced and time-stamped documentation of events relevant to a particular system. Virtually all software applications and systems produce log files. Effective log management is essential to both security and compliance. Monitoring, documenting, and analyzing system events is a crucial component of security intelligence.
Many of the operations are automated with log management software. For example, an event log manager (ELM) monitors changes in an organization’s IT infrastructure. Audit trails that must be provided for a compliance audit reflect these modifications.
In this task, I have used some of the tools like OS forensic, and Event Log parser, to show the different logs of the Windows operating system.
OS forensic:
Operating System Forensics is the process of retrieving useful information from the OS (OS) of the PC or mobile device in question. The aim of collecting this information is to accumulate empirical evidence against the perpetrator.
The understanding of an OS and its file system is important to recover data for computer investigations. The filing system provides an OS with a roadmap to data on the hard disc. The file system also identifies how the disk drive stores data. There are many file systems introduced for various operating systems, like FAT, exFAT, and NTFS for Windows Operating Systems (OSs), and Ext2fs, or Ext3fs for Linux Oss.
Showing different Logs of Windows System with the help of OS forensic
In this above figure, I have analyzed the same logs of Windows, Applications, and service logs with the help of an OS forensic tool in which I have got different information that is stored in these logs present inside my computer system. Through these logs, we can solve different types of cybercrime cases.
Log parser:
Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files, and CSV files, as well as key data sources on the Windows operating system such as the Event log, the registry, the file system, and Active Directory.
System.evtx
OSession.evtx
Application.evtx
Security.evtx
In the above figure, I have analyzed the logs of my Windows system such as “System.evtx”, “Secuirty.evtx”, “Application.evtx” and “OSession.evtx” in the command line interface with the help of the log parser tool. With the help of this tool, I have found different information through the logs of my Windows system.
Event log Explorer:
Event Log Explorer is a useful piece of software for viewing, analyzing, and tracking occurrences in Microsoft Windows event logs. The study of event logs is substantially simplified and accelerated with Event Log Explorer (security, application, system, setup, directory service, DNS, and others).
Event Log Explorer enhances the capability of the regular Windows Event Viewer by adding a slew of new capabilities. Users who tried Event Log Explorer see it as a superior solution to Windows Event Viewer helping to boost their productivity twice.
System.evtx
Setup.evtx
Application.evtx
ODiag.evtx
In this above figure, I have analyzed the logs of my Windows System such as “System”, “Application”, and “Setup” in which different useful information is stored with the help of the Event log browser tool.
Finding:
While working on the OS and Memory Forensic lab report, I employed graphical user interface (GUI) tools as well as command line tools like Bulk extractor, OS forensic, Log parser, volatility, and Etcetera. With the help of the bulk extractor tool, I have extracted some information such as email addresses, credit card numbers, URLs, and other forms of data from the image which I have created through the FTK tool with the help of a pen drive. Then in the registry part, I have shown overall registry hives such as SAM, SECUIRTY, SYSTEM, and SOFTWARE. After that, I used some log analysis tools such as log parser and OS forensics to find out different information from the system. And I have also used the volatility tool for RAM dump analysis and Examined the sample binary file to show different artefacts like OS, cmd line history, Users.
Conclusion:
In the Conclusion Section, I have concluded that with the help of a bulk extractor tool, we can perform Data carving and extract some information such as email addresses, credit card numbers, URLs, and other forms of data even after the file is damaged or deleted. In addition, I have used some of the GUI-based tools such as OS forensics to find out information from the log from the system. Furthermore, I have downloaded a sample for RAM Dump analysis using the volatility tool and examined some binary files to show different artefacts like OS and users.
That’s all for this blog, I hope you guys enjoyed this form of learning. ❤
Till then keep learning, keep exploring, and do hacking………………………
Resources:
1. Bigelow, S. (2021) What Is An Operating System (OS)? Definition, Types, And Examples — Whatis.Com [online] available from <https://whatis.techtarget.com/definition/operating-system-OS> [8 August 2021]
2. Lord, N. (2020) What Are Memory Forensics? A Definition Of Memory Forensics [online] available from <https://digitalguardian.com/blog/what-are-memory-forensics-definition-memory-forensics> [8 August 2021]
3. Hope, C. (2019) What Is The Windows Registry? [online] available from <https://www.computerhope.com/jargon/r/registry.htm> [8 August 2021]
4. Carroll, O. and Lee, R. (2018) Windows Forensic Analysis [online] Maryland, USA. available from <https://www.sans.org/cyber-security-courses/windows-forensic-analysis/> [8 August 2021]
5. Kukoba, A. (2020) How to Recover Lost or Deleted Files with Data Carving [online] available from <https://www.apriorit.com/dev-blog/694-windows-how-to-recover-files-with-data-carving> [8 August 2021]
6. Chandel’s, R. (2020) “Comprehensive Guide On FTK Imager”. [2020] available from <https://findanyanswer.com/goto> [8 August 2021]
7. Bulk-Extractor Package Description (n.d.) available from <https://tools.kali.org/forensics/bulk-extractor> [8 August 2021]
8. Foremost Package Description (n.d.) available from <https://tools.kali.org/forensics/foremost> [8 August 2021]
9. Contributor, T. (2016) What Is Memory Dump? — Definition From Whatis.Com [online] available from <https://whatis.techtarget.com/definition/memory-dump> [8 August 2021]
10. Volatility Foundation (n.d.) available from <https://www.cybersecurityintelligence.com/volatility-foundation-4365.html> [8 August 2021]
11. Operating System — Overview — Tutorialspoint (n.d.) available from <https://www.tutorialspoint.com/operating_system/os_overview.htm> [8 August 2021]
12. Definition Of A Status Network — SAP Documentation (n.d.) available from <https://help.sap.com/doc/d1e8e4535dd4414de10000000a174cb4/3.6/en-US/d6d8e452c021ee2de10000000a423f68.html#:~:text=A%20status%20network%20represents%20the,a%20document%20to%20its%20release> [8 August 2021]
13. Ahmad, A. and Legeard, B. (2018) Network Status — An Overview | Sciencedirect Topics [online] available from <https://www.sciencedirect.com/topics/computer-science/network-status> [8 August 2021]
14. Pedamkar, P. (n.d.) What Is CMD? | How To Access Windows Command And Its Usage [online] available from <https://www.educba.com/what-is-cmd> [8 August 2021]
15. Hope, C. (2021) What Is A User? [online] available from <https://www.computerhope.com/jargon/u/user.htm> [8 August 2021]
16. OS Event — Automotive Wiki (n.d.) available from <https://automotive.wiki/index.php/OS_event#:~:text=An%20OS%20event%20is%20used,tasks%20cannot%20use%20OS%20events> [8 August 2021]
17. Wigmore, I. (2016) What Is Log Management? — Definition From Whatis.Com [online] available from <https://searchitoperations.techtarget.com/definition/log-management> [8 August 2021]
18. Introduction To Operating System Forensics (n.d.) available from <https://info-savvy.com/> [8 August 2021]
19. Microsoft Download Center: Windows, Office, Xbox & More (n.d.) available from <https://www.microsoft.com/en-us/download/details.aspx> [8 August 2021]
20. Labs, F. (2021) Windows Event Log Analysis Software, View And Monitor System, Application And Security Event Logs — Fspro Labs [online] available from <https://eventlogxp.com> [8 August 2021]
You can follow me on Social Media:
Linkedin: https://www.linkedin.com/in/rohit-ray-19284b232/
GitHub: https://github.com/rohit273
Twitter: https://twitter.com/RHittttt
Instagram: https://www.instagram.com/ro_hit.exe/
Please follow and subscribe for more awesome upcoming blogs.
Bye until Next time.
