fbpx
Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

cybersecurity
education
€ EUR
  • $ USD
  • € EUR

Hacks Weekly #56 Ram Capturer

This time we would like to invite you to the 56th Hacks Weekly episode. We will focus on a live memory dump and RAM Capturer software. Join us to learn how to perform live memory dumps that can be used in various forensic activities.

 

 

Capturing live memory, also known as memory forensics, can be a valuable technique for cybersecurity professionals for several reasons. It can help with investigating advanced attacks by revealing hidden processes, network connections and other artifacts as well as supporting data recovery processes by revealing encryption keys, decryption routines or data remnants. Additionally, capturing live memory can be useful when determining the root causes of security incidents by providing information about the state of a system during the incident. 

Live memory dumps can be really useful during security practice, as they can contain some login credentials, for example – to multiple different services. Therefore, from our perspective, a memory dump is crucial for further analysis of the RAM memory. 

Let’s start with opening a tool called Ram Capturer. Open the software and select the folder path where our memory dump file will be stored. 

In the video, you can see a directory called memoryDumps, which is located on the C drive. And what we need to do next is click Capture! It should capture the memory in a few seconds. Then you can observe that the memory dump has been completed. Now if we go to that folder, we can see that there is a .mem file with today’s date. 

It is recommended to change the date to show what was the computer’s name, what the operating system was running while the memory dump was performed, as well as what was the version and the build number.

But right now, to make the next steps easier, we will just leave it as it is. So that’s the date for today. What we can do now is we can generate a file hash of this file. 

We’ll do it by running PowerShell. We will use a command visible in the video: Get-FileHash. We’ll specify what algorithm we will use, and we will use SHA256. Also, we have to specify the path. In our case it is C:\memoryDumps. 

Get-FileHash -Algorithm SHA256 -Path C:\memoryDumps\20221209.mem 

Let’s run our file and let’s see how much we should wait for that this time. Then, it will generate the hash of the .mem file. Next, we can check it with CertUtil.exe and we’ll see if those hashes are the same or if they are different. Remember that if you are doing any memory dump, it should be extracted to the external drive.

In our case, we saved it on the local drive – the C drive. However, in a real environment, the best option is to save it on an external drive. 

Once we’ve got our hash value for the memory dump file, we’ll double-check it by using the CertUtil. Let’s run the certutil.exe. 

Now, in PowerShell, you can specify the path of the hash file. So that is C:\memoryDumps. Also, you need to specify what algorithm was used. So, in our case, it’s SHA256.  

certutil.exe -hashfile C:\memoryDumps\20221209.mem SHA256 

Let’s see what this command will give us.  

We can see what the CertUtil has returned. And, as you can see in the video tutorial, the hash from the Get-FileHash command is identical. 

It’s the same as the hash generated from the CertUtil file. We can announce that the hashes are matching. It means that we can be sure that the file is correct and not corrupted. 

Thank you for being with us! Hope you enjoyed today’s episode of Hacks Weekly series. Looking forward to the upcoming video!

You may also be interested in: