data analysing and recovery using the tool

haliber63 16 views 30 slides Jul 18, 2024
Slide 1
Slide 1 of 30
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30

About This Presentation

data recovery and password recovery using memory dump tool and that tool is winhex we have used this tool winhex to recover the passwords from the chrome so that we can recover the passwords and in this experiment i have choosen to recover from 10 different laptops and all the laptops were recoverab...

Size: 4.7 MB
Language: en
Added: Jul 18, 2024
Slides: 30 pages

Slide Content

Revolutionizing Digital Forensics: New Frontiers in Physical Memory Analysis Presented by:- Sushma tarapatla Msc Digital forensic & information security 22-M-DFIS-001

Contents Abstract Introduction Literature review Materials and methodology Results Conclusion References

Abstract The field of digital forensics is rapidly evolving due to the critical need for advanced tools to capture and analyze physical memory. This memory often holds vital evidence inaccessible by other means, enhancing investigative depth. Recent years have seen increased attention to memory analysis, leading to innovative methodologies for extraction and analysis. These advancements improve investigative accuracy, particularly in accessing password-protected devices. This thesis underscores the importance of physical memory in digital forensics and introduces state-of-the-art approaches shaping the field's future, aiming to enhance investigative practices and support justice.

Introduction The digital forensics community recognizes the urgent need for advanced tools and methods to capture and scrutinize physical memory content, driven by its unique ability to hold volatile evidence crucial for investigations. Recent progress underscores the significance of memory analysis in reconstructing security breaches, identifying malware, and understanding attackers' strategies. Tools like FTK Imager and Volatility enable the acquisition and parsing of memory dumps, revealing hidden processes and aiding in decrypting encrypted data. Moreover, in live response scenarios, memory analysis allows for swift threat mitigation and detection of sophisticated attacks, bolstering investigative capabilities.

Recent developments, including the integration of machine learning and threat intelligence, have further fortified forensic memory analysis, enhancing the precision and efficiency of investigations. Collaborative efforts among researchers, developers, and practitioners are vital for adapting to evolving cyber threats and ensuring the resilience of forensic methodologies. These advancements not only deepen our understanding of digital incidents but also reinforce the community's ability to respond effectively to complex cyber threats, paving the way for more robust forensic practices in the future.

Literature Review Sarmoria and Chapin (2005) introduced the BodySnatcher tool, which injects an independent acquisition operating system into the potentially compromised host operating system kernel. This injected operating system captures snapshots of the host operating system memory. These techniques emphasize preparation before any incident occurs. Carrier and Grand (2004) proposed a method among the few hardware-based memory acquisition techniques that minimally alter memory contents. Utilizing a PCI expansion card, this method dumps memory content to an external device. ManTech's Memory DD (MDD) and Win32dd by Suiche (2008) offer diverse memory acquisition and compression capabilities, providing options for forensic analysts in capturing memory content. WinEn from Guidance Software, part of EnCase Forensic version 6.11 and above, generates memory images with varying levels of compression and specific headers, enhancing data security and integrity.

Betz (2005) developed MemParser for extracting process-related information from Windows memory dumps, contributing to the arsenal of software tools available for memory analysis. KnTList (Garner and R-Mora, 2007) reconstructs the virtual address space of system processes, aiding in understanding system states during forensic investigations. PTFinder (Schuster, 2006) uncovers hidden processes, and Carvey and Kleiman (2007) provided a Perl script tool for reading and translating Windows crash dump files, facilitating the extraction and interpretation of memory contents for forensic analysis. Zhao and Cao (2009) explored memory patterns for sensitive information, addressing the potential for uncovering valuable data through memory analysis techniques. Hejazi et al. (2008) focused on extracting executable and data files from memory images, contributing to the advancement of memory forensics methodologies. Arasteh and Debbabi (2007) scrutinized memory stacks, further extended in this paper's Section 6, which explores stack frame analysis and extraction of sensitive parameters, enhancing our understanding of memory forensics and its application in digital investigations.

Materials and methodology Materials required :- A working laptop Dump files from different sample Laptops of different companies and models A forensically licensed WINHEX tool

Methodology Hypothesis To see if sensitive data such as passwords can be extracted from computer ‘Dump’ files using a tool called ‘WINHEX’ Why this acquisition? Digital evidences are becoming more predominant to the society so acquisition of data from these evidences will prove to more important than material evidences. So in this project I’ll try to recover a specific data from the digital evidence Collection of data I searched in my locality to find 10 different laptops with random company and model and collected the data from them The research was completed within 15 days Methods (acquiring dump file)

Laptop 1 : Lenovo B41 Step 1 Take FACEBOOK in Google Chrome and login using your credentials

Step 2 Login to your account and logout after a minute or two

Step 3 After logging out open task manager which can be found on the bottom toolbar of the particular system. From the application Right click on Google chrome App and click on ‘Create Dump File’. Within a minute a Dumpfile will be created along with the file path

Step 4 Open the specific Dumpfile using WINHEX tool

Step 5 Click on find text option which can be found on the top bar of the WINHEX tool and type in “password =

Step 6 Click on okay button to see the results.

Laptop 2: Lenovo Ideapad Step 1: Take FLIPKART in Google Chrome and login using your credentials

Step 2 Login to your account and logout after a minute or two

Step 3 After logging out open task manager which can be found on the bottom toolbar of the articular system. From the application Right click on Google chrome App and click on ‘Create Dump File’. Within a minute a Dumpfile will be created along with the file path

Step 4 Locate the Dumpfile in your PC

Step 5 Open the specific Dumpfile using WINHEX tool

Step 6 Click on find text option which can be found on the top bar of the WINHEX tool and type in “password =

Step 7 Click on okay button to see the results.

RESULTS Results from this study demonstrate WINHEX's effectiveness in extracting sensitive data, such as passwords, from computer dump files. Analysis of dump files from 10 different laptops revealed successful password extraction in all cases, with an average time of 5.5 minutes. This highlights a concerning security risk: sensitive information can be easily accessed from dump files using forensic tools like WINHEX. While extraction times varied across laptops, indicating potential influences from laptop model and company, the consistent high risk of sensitive data exposure underscores the need for enhanced data security practices. Improved encryption methods and secure deletion processes are essential to safeguard sensitive information in digital environments. As digital evidence gains prominence in legal and corporate spheres, the study emphasizes the critical importance of securely managing digital data. It calls for heightened awareness and implementation of robust security measures to mitigate the risk of unauthorized access to sensitive information stored in dump files.

Observation table Owner name Laptop company Model Password Extraction Successful? Time Taken for extraction The user id and Password Sreerag Lenovo B41 Yes Facebook password was extracted 5 minutes User id: [email protected]   Password Sreerag@775 Nidhin Lenovo Ideapad S145 Yes Flipkart id and password extracted 7minutes User id: [email protected] m Password: Cristianoronaldo7 Hari HP 15 Ryzen Yes Facebook id and password extracted 5minutes User id: [email protected] Password:helldream George HP 14 Ryzen Yes Gmail id And password extracted 5minutes User id: Georgekoshyvaidhyan99@ gmail.com Password:Georgekoshy4 Gautham Asus X507 Yes Gmail id and password extracted 6minutes Userid : Gauthamm177 @gmail.com Password:Messilm10

Owner name Laptop company Model Password Extraction Successful? Time Taken for extraction The user id and Password Anwar Dell Inspiro n 5755 Gmail id and password extracted 5minutes Userid: Anwarhaqkochi12apr@gm ail.com Password:littlehoonigan Anandh Acer Aspire 3 Gmail id and password extracted 6 minutes Userid: anandhukambadiperumon @gmail.com Password:gameofthrones Akhil Iball Marvel 2 Flipkart id and passwordextra cted 4minutes Userid: [email protected] Password:Akhilbuilt Arjun Acer Aspire 5s Gmail id and password extracted 5minutes Userid: [email protected] Password:9846068697 Abel Lenovo V145 Flipkart id and password extracted 7minutes Userid : 8281906441 Password:bigchillboy

Calculation Average time taken for extraction = The mean of the time taken for extraction 5+7+5+5+6+5+6+4+5+7/10= 55/10 = 55minutes The Password extraction was done successfully in 10 random laptops and the average time taken for the extraction of Password is 5.5minutes.

Conclusion In conclusion, the field of digital forensics is undergoing significant growth driven by the demand for advanced methods to capture and analyze physical memory content. This thesis emphasizes the vital role of memory-resident information in forensic investigations, highlighting its unique value in uncovering pivotal evidence not accessible through other digital sources. The increased focus on memory acquisition and analysis reflects the potential of physical memory to enhance the reliability and depth of forensic analyses. By introducing new methodologies for memory data extraction and analysis, this work demonstrates how investigators can enhance the accuracy and reliability of their findings. The development of sophisticated forensic tools has greatly improved post-incident analysis, revealing critical evidence, particularly in cases involving password-protected devices where memory dumps can unveil passwords and provide access to comprehensive digital evidence.

Through this thesis, I aim to contribute to the advancement of digital forensics by showcasing the importance of physical memory and introducing innovative approaches shaping forensic investigations. As demand for more advanced forensic methods grows, advancements in memory acquisition and analysis will be crucial in supporting investigators' efforts to uncover truth and ensure justice. This work aims to inspire further research and development in this crucial area, ensuring that forensic practices remain effective in combating evolving cyber threats.

References - Sarmoria , A., & Chapin, S. (2005). BodySnatcher : a proactive data-gathering tool for detecting malicious code. Digital Investigation, 2(Supplement), 65-72. - Carrier, B., & Grand, S. (2004). A hardware-based memory acquisition procedure for digital investigations. Digital Investigation, 1(2), 50-60. - Betz, C. (2005). Windows Memory Forensics: Detecting Kernel-Mode Memory Tampering. Digital Investigation, 2(Supplement), 21-30. - Zhao, J., & Cao, Y. (2009). Extracting potential sensitive information from memory. In 2009 IEEE International Conference on Communications (pp. 1-5). IEEE. - Hejazi, S. M., Ghavam , M. S., & Haidarian , S. M. (2008). Memory analysis and data extraction using forensic methods. Journal of Network and Computer Applications, 31(4), 610-622. - Arasteh , A. R., & Debbabi , M. (2007). Memory forensics: An analysis of memory stack and its applications. In International Conference on Forensics in Telecommunications, Information, and Multimedia (pp. 48-59). Springer, Berlin, Heidelberg.

Thank you
Tags
Categories
Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 16
  • Slides 30
  • Age 500 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
Know for Certain 21
Know for Certain
DaveSinNM
19 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views
View More in This Category