Capturing live memory, also known as memory forensics, can be a valuable technique for cybersecurity professionals for several reasons. It can help with investigating advanced attacks by revealing hidden processes, network connections and other artifacts as well as supporting data recovery processes by revealing encryption keys, decryption routines or data remnants. Additionally, capturing live memory can be useful when determining the root causes of security incidents by providing information about the state of a system during the incident.
Live memory dumps can be really useful during security practice, as they can contain some login credentials, for example – to multiple different services. Therefore, from our perspective, a memory dump is crucial for further analysis of the RAM memory.
Let’s start with opening a tool called Ram Capturer. Open the software and select the folder path where our memory dump file will be stored.
In the video, you can see a directory called memoryDumps, which is located on the C drive. And what we need to do next is click Capture! It should capture the memory in a few seconds. Then you can observe that the memory dump has been completed. Now if we go to that folder, we can see that there is a .mem file with today’s date.
It is recommended to change the date to show what was the computer’s name, what the operating system was running while the memory dump was performed, as well as what was the version and the build number.
But right now, to make the next steps easier, we will just leave it as it is. So that’s the date for today. What we can do now is we can generate a file hash of this file.
We’ll do it by running PowerShell. We will use a command visible in the video: Get-FileHash. We’ll specify what algorithm we will use, and we will use SHA256. Also, we have to specify the path. In our case it is C:\memoryDumps.
Get-FileHash -Algorithm SHA256 -Path C:\memoryDumps\20221209.mem
Let’s run our file and let’s see how much we should wait for that this time. Then, it will generate the hash of the .mem file. Next, we can check it with CertUtil.exe and we’ll see if those hashes are the same or if they are different. Remember that if you are doing any memory dump, it should be extracted to the external drive.
In our case, we saved it on the local drive – the C drive. However, in a real environment, the best option is to save it on an external drive.
Once we’ve got our hash value for the memory dump file, we’ll double-check it by using the CertUtil. Let’s run the certutil.exe.
Now, in PowerShell, you can specify the path of the hash file. So that is C:\memoryDumps. Also, you need to specify what algorithm was used. So, in our case, it’s SHA256.
certutil.exe -hashfile C:\memoryDumps\20221209.mem SHA256
Let’s see what this command will give us.
We can see what the CertUtil has returned. And, as you can see in the video tutorial, the hash from the Get-FileHash command is identical.
It’s the same as the hash generated from the CertUtil file. We can announce that the hashes are matching. It means that we can be sure that the file is correct and not corrupted.
Thank you for being with us! Hope you enjoyed today’s episode of Hacks Weekly series. Looking forward to the upcoming video!