We receive an image of random access memory

The contents of the RAM is very important information when studying previous actions with the machine. RAM can contain both parts of the executable processes themselves, and parts of deleted files, user sessions, and cryptographic keys. With the current spread of complex information security systems based on encryption, restoring their keys becomes almost one of the main tasks for research. In secure systems, RAM is often the only place where security keys and other temporary, but very important information can be saved.


The process of obtaining information that is contained in RAM consists of two stages: removal of the contents of RAM
and
analysis of the data obtained during the seizure.

Paying attention to the first stage, it is worth noting that the removal of RAM can be accomplished using a number of means: direct memory access using special expansion cards, a FireWire port, and even physical removal of the RAM memory (it will require freezing of the boards),
')


but in this article we will look at software tools that allow you to remove the contents of the RAM of protected machines by the so-called “hot” reboot and start the machine in Live mode.

To accomplish this task, we will use a special Ubuntu CyberPack (IRF) 1.0 distribution, consisting of a minimum set of components, namely, only those that are necessary to remove data from memory. Accordingly, there is no graphical interface.

Using this approach to removing the contents of RAM has a number of advantages and disadvantages compared with the other tools listed above.
Pros:
- the use of the Live distribution kit allows you to perform an action regardless of which operating system is installed on the machine being examined;
- there are no costs for the purchase of expensive special devices, cables, circuit boards, etc.
Disadvantage:
- the contents of the RAM will be incomplete - part of it will be overwritten with the data necessary to run the Live distribution (approximately 125 MB).

Specially assembled distributions for machines with memory up to 3 GB (38386) and over 3 GB (amd64) are available for use. With their help, you can create a bootable CD / DVD-ROM or bootable USB-drive.

Remarks:
- the system does not give us a second chance - we have only one attempt. that is, when you restart the computer being investigated again, there is a high probability that we will not find the necessary information. It follows that you do not need to reboot it several times, experiment, aim.
It is necessary to prepare in advance and know how the computer will behave after a reboot.
Most modern computers allow you to specify where to start right from the start, but if this is not the case, then you need to configure the machine's BIOS to boot from a CD / DVD drive or USB drive / drive, and then download the Live distribution from the specified device.

So let's get started.

Reboot the computer.
IMPORTANT: in no case should the reboot be cold (by pressing the “reset” button or turning off / on the power), namely, the reboot must be performed by means of the operating system itself (for example, by pressing the Ctrl-Alt-Del buttons or by selecting “ reboot "in the system)

After downloading the distribution kit, the user has access to the familiar Linux console line, and brief information for launching the module.


Preparation of the fmem program is to execute the following commands:
$ sudo -s
# cd / opt (go to the folder where the program is located);
# ./run-fmem.sh (launch script for memory removal module);

Note: For further action, you need to mount a previously prepared medium (external hard disk, flash drive) with the ext2 / 3/4 file system, in which the file with the contents of RAM will be saved.

In order to find out what identifier the system assigned to the attached media, after connecting it to the computer, enter the following command:
# dmesg | tail (The command displays the kernel message buffer information. We will be interested in the last entry.)
Like for example this:
[16091.995428] sd 9: 0: 0: 0: Attached scsi generic sg2 type 0
[16091.995996] sd 9: 0: 0: 0: [sdb] 32096120 512-byte logical blocks: (16.4 GB / 15.3 GiB)
[16091.998192] sd 9: 0: 0: 0: [sdb] Write Protect is off
[16091.998205] sd 9: 0: 0: 0: [sdb] Mode Sense: 0b 00 00 08
[16091.999433] sd 9: 0: 0: 0: [sdb] No Caching mode page found
[16091.999447] sd 9: 0: 0: 0: [sdb] Assuming drive cache: write through
[16092.003486] sd 9: 0: 0: 0: [sdb] No Caching mode page found
[16092.003495] sd 9: 0: 0: 0: [sdb] Assuming drive cache: write through
[16092.004251] sdb: sdb1
(where "sdb" is the assigned designation of the physical drive, and "sdb1" is the assigned designation of the logical partition of the drive).

Next, mount the logical partition of the drive to the / tmp folder of the operating system loaded in the Live mode:

# mount / dev / sdb1 / tmp
(Where
"Mount" - mount device command
"/ Dev / sdb1" - the address of the file of the logical partition of the attached drive
"/ Tmp" - the folder in which you want to connect the drive).

All preparatory steps have been taken - you can proceed to the removal of the contents of RAM:

# dd if = / dev / fmem of = / tmp / ram-image.mem bs = 1K count = `head -1 / proc / meminfo | awk '{print $ 2}' `
(Where
“Dd” - image creation command
"If = / dev / fmem" - the data source, namely RAM
“Of = / tmp / ram-image.mem” - writing to the file “ram-image.mem” in the folder “/ tmp”
“Bs = 1K” - information block size - 1 Kb
“Count =` head -1 / proc / meminfo | awk '{print $ 2}' `" - the amount of RAM, information about which is extracted from the file / proc / meminfo).

And wait ...
As a result of successful execution of the command, we will receive a message similar to this:

521453568 bytes (521 MB) copied, 158.405 s, 3.3 MB / s
(Where
"521453568 bytes (521 MB) copied" - the amount of copied information
"158.405 s" - the time during which the operation was performed
"3.3 MB / s" - the speed at which the operation was performed)

As a result, we received the contents of the machine’s RAM in the ram-image.mem file on the drive. Now it can be processed incl. extracting parts of executable processes, deleted files, information about user sessions, cryptographic keys, and much more.

PS
It is also worth noting that all modern systems use swap-memory in their work (the so-called “swap file”)
The paging file is a kind of addition to the RAM (which is used to temporarily store data for quick delivery to the processor) of your computer. Even not so much addition as its broadening or, one may say, continuation. The fact is that when there is not enough RAM, the system can transfer data from memory to disk (the so-called additional memory), in which data is also stored accordingly.
And for a complete picture of the analysis of memory, you must also get them.
Different operating systems use different storage methods.

In the case of Windows, these are usually the files in the root on the system disk C:
pagefile.sys for Win XP and Win 7 and just copy the file

For Linux, this is a separate partition on the media.
For example:
Sudo fdisk -l / dev / sda command
will show us all sections in the system
/ dev / sda1 * 2048 78125055 39061504 83 Linux
/ dev / sda2 78125056 117186559 19530752 82 Linux swap / Solaris
/ dev / sda3 117186560 625141759 253977600 83 Linux
Based on this, we see that the swap partition is in / dev / sda2
You can also copy it using the dd command.
For example:
dd if = / dev / sda2 of = / media / <path where to write> /linux-swap.dd

For MacOS, you must copy all the files from the / private / var / vm / swapfile * directory

Processing and analysis of the results (as a dump of RAM and swap-memory) can be carried out manually using for example HEX-editor, and with the help of a number of programs which will be discussed next time.