RAM Analysis


  • Share
  • Sumo
  • Share

Random-access memory (RAM) is a form of computer data storage. Today, it takes the form of integrated circuits that allow stored data to be accessed in any order (i.e., at random). “Random” refers to the idea that any piece of data can be returned in a constant time, regardless of its physical location and whether it is related to the previous piece of data. (Wikipedia Definition)

Lots of information like Email Conversations, Email addresses, Chat Records, Web-pages, URL, user names, searched item in search engine etc. can be found in RAM.
I have also found Email Conversations and URL  from the past.  This article discusses about basic techniques which can be used to dump and analyze the RAM.

So, lets start to get our hand dirty…. 🙂


Step 1  RAM Acquisition





There are many different methods like using Hardware devices, crash dumps and using software for dumping the Physical Memory(RAM).
But in this post , I will discuss the software method for acquisition of physical memory using command line tool MDD(Memory DD) .
You can download MDD tool from this link. .

Open command prompt. Enter mdd_1.3.exe -h to view all the options available.


C:\Documents and Settings\Administrator\Desktop\RAM>mdd_1.3.exe -h
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w’
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c’ for details.

mdd ManTech Physical Memory Dump Utility

Usage:

mdd <-o OUTPUTFILE> [-qvcw]

-o OUTPUTFILE output file for dump
-q quiet; no output except on error
-v verbose; output offsets of failed mappings
-c redistribution conditions for GPL
-w warranty information for GPL

C:\Documents and Settings\Administrator\Desktop\RAM>





For dumping physical memory(RAM) enter mdd_1.3.exe -o D:\RamDump.img
D:\RamDump.img is the path and file name for the image.


C:\Documents and

Settings\Administrator\Desktop\RAM>mdd_1.3.exe -o D:\RamDump.img
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission

Assurance

-> This program comes with ABSOLUTELY NO WARRANTY;

for details use option `-w’
This is free software, and you are welcome to

redistribute it
under certain conditions; use option `-c’ for

details.

-> Dumping 3317.88 MB of physical memory to file

‘D:\RamDump.img’.

849254 map operations succeeded (1.00)
123 map operations failed

took 939 seconds to write
MD5 is: 4fa719129198f8a360a9469b624bda7f

C:\Documents and Settings\Administrator\Desktop\RAM>




Step 2 RAM Analysis





Now, we have successfully dumped the physical memory to a file. If this file is a crash dump file then we can easily analyze this file with window debugger.
But this file is not a crash dump file format so I will show one of the basic techniques to analyze the RAM is to search for useful strings.

So, now we will extract all the strings from this image and save the strings into another file using Strings utility from Sysinternals. You can download this tool from this link.

Open command prompt and enter Strings.exe D:\RamDump.img > Output.txt


C:\Documents and Settings\Administrator\Desktop\RAM>Strings.exe D:\RamDump.img > Output.txt





Now you can use any text-editor to view and search the contents of Output.txt , I prefer to use Notepad++.
You can search for string like “www.”, “@”, “?q=”(for search query) etc. to find some useful info about the person using that computer.
I have find lots of email-conversation, email-addresse,URL from my PC. You can also try this out and post your comments.

.