Memory Forensics is a very important part of Cyber Forensics/Digital Forensics. In Memory Forensics we do not analyse the entire Hard Disk for Malware. Rather we analyse the Physical or Virtual Memory of a Computer System for Malware already running on the System.
This not only saves lots of time, energy and costs but also takes care of those Malware that run in “Memory Alone”. Modern Malware are written keeping in mind the Digital Forensics Practices that can detect them.
Traditionally, Forensics was mainly confined to Dead/Offline Forensic Analysis of the image of a Hard Disk or Media. However, Malware writers used more sophisticated Codes and Tools to circumvent Forensics Methods. One such method was to use and run the Malware in Memory alone. This has the advantage for Malware users as the moment a Computer System is shut off, the evidence of Malware abuse is almost gone.
The only viable option seems to be to analyse the Malware when the Computer System is still on and running as at that time the Malware are still present in the Memory. There are many Open Source Software to do this job and Individuals/Firms/Companies are investing their time and resources to get Memory Forensics Expertise.
Perry4Law and Perry4Law Techno Legal Base (PTLB) recommend adoption and use of Memory Forensics along with other forms of Digital Forensics. Further, Perry4Law and PTLB also recommend maintaining a “Chain of Custody” and “Standard Operating Procedure” while engaging in all forms of Digital Forensics.
This is important to make the Evidence extracted through Digital Forensics “Admissible” in a Court of Law. Many times Evidence acquired through Digital Forensics is challenged in Courts and is declared “Inadmissible” by the Court.
Perry4Law and PTLB believe that the “Best Practice” in this regard is to engage in Digital Forensics, including Memory Forensics, by considering it as a part of a Court Proceedings. Once the concerned Digital Forensics/Memory Forensics has been undertaken, it must be shown to and discussed with a good Techno Legal Lawyer/Law Firm who can understand the intricacies of Digital Forensics and suggest the “Best Method” to get it “Admissible” in the Courts.
If the acquired “Digital Evidence” is ultimately declared “Inadmissible” by the Court, there is no use of engaging in such Digital Forensics/Memory Forensics.
This not only saves lots of time, energy and costs but also takes care of those Malware that run in “Memory Alone”. Modern Malware are written keeping in mind the Digital Forensics Practices that can detect them.
Traditionally, Forensics was mainly confined to Dead/Offline Forensic Analysis of the image of a Hard Disk or Media. However, Malware writers used more sophisticated Codes and Tools to circumvent Forensics Methods. One such method was to use and run the Malware in Memory alone. This has the advantage for Malware users as the moment a Computer System is shut off, the evidence of Malware abuse is almost gone.
The only viable option seems to be to analyse the Malware when the Computer System is still on and running as at that time the Malware are still present in the Memory. There are many Open Source Software to do this job and Individuals/Firms/Companies are investing their time and resources to get Memory Forensics Expertise.
Perry4Law and Perry4Law Techno Legal Base (PTLB) recommend adoption and use of Memory Forensics along with other forms of Digital Forensics. Further, Perry4Law and PTLB also recommend maintaining a “Chain of Custody” and “Standard Operating Procedure” while engaging in all forms of Digital Forensics.
This is important to make the Evidence extracted through Digital Forensics “Admissible” in a Court of Law. Many times Evidence acquired through Digital Forensics is challenged in Courts and is declared “Inadmissible” by the Court.
Perry4Law and PTLB believe that the “Best Practice” in this regard is to engage in Digital Forensics, including Memory Forensics, by considering it as a part of a Court Proceedings. Once the concerned Digital Forensics/Memory Forensics has been undertaken, it must be shown to and discussed with a good Techno Legal Lawyer/Law Firm who can understand the intricacies of Digital Forensics and suggest the “Best Method” to get it “Admissible” in the Courts.
If the acquired “Digital Evidence” is ultimately declared “Inadmissible” by the Court, there is no use of engaging in such Digital Forensics/Memory Forensics.
No comments:
Post a Comment