Introduction to Memory Forensics (Full Lecture Video)
Vložit
- čas přidán 16. 08. 2023
- #cryptology, #cryptography, #cryptanalysis
In this video, you get an introduction to memory forensics. It contains a theoretical part, where you learn about digital forensics and memory forensics. After that, the video contains a practical part, where we extract and then analyze the content of a Windows machine's memory for malware using the memory forensics framework "Volatily 3".
The video is based on a German "test lecture" I gave a some months ago (in 2022). I thought, the introduction could be also interesting for the viewers of this channel (and everyone else interested in digital forensics), so I made a video out of it :-). Thus, this introduction is a translation of that particular lecture I gave.
Tools (links) mentioned in the video:
- Volatility foundation: www.volatilityfoundation.org/
- Volatility GitHub repo: github.com/volatilityfoundati...
- Kali Linux: www.kali.org/
- Belkasoft Live RAM Capturer: belkasoft.com/ram-capturer
Literature shown at the end of the video:
- Ligh, Michael Hale, et al. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. John Wiley & Sons, 2014.
- Moustafa, Nour. Digital Forensics in the Era of Artificial Intelligence. CRC Press, 2022.
- BSI. Leitfaden IT-Forensik. (German) www.bsi.bund.de/dok/6620610 Version 1.0.1, 2011.
- The „Windows Internals“ books of Mark E. Russinovich and Pavel Yosifovich (and others)
- Interpol. GUIDELINES FOR DIGITAL FORENSICS FIRST RESPONDERS - Best practices for search and seizure. 2021
If you are interested in learning the fundaments of cryptology, let me invite you to have a look at our video series about the basics of cryptology, also for beginners: • Basics of Cryptology -...
You can download the latest version of CrypTool 2 from here: www.cryptool.org/en/ct2/downl...
Visit my blog: www.kopaldev.de
Join Discord server: / discord
Fantastic introduction to memory forensics! Nice mixture of theory and practical application. Looking forward to more videos
Thank you for another great presentation! I believe that the content is relevant to the field. I had no idea that the RAM temperature would affect the persistence in a significant way.
Thank you :-)
Yes, when you cool down memory cells, the time data remains can be increased. Also see the Wikipedia article: en.wikipedia.org/wiki/Cold_boot_attack
Greetings,
Nils
I also found this very interesting
Hallo Nils
There is an aspect of the Beaufort Cipher that is driving me bonkers. The (English) Wikipedia page explains that there are 676 (26x26) possible triplets but only 126 are unique.
This has me puzzling; how to calculate the number of unique triplets in a Beaufort square of arbitrary size (N Squared), and if the number of triplets is so limited, does that mean this method is less secure than using modulo addition even when using a one-time-pad?
example:
In a grid of 0-9 (10x10), there are only 22 unique triplets out of 100 cells.
009, 117, 225, 333, 577
018, 126, 234, 379, 667
027, 135, 298, 388
036, 144, 469, 559
045, 199, 478, 568
Many possible triplets are absent;
112, 235, 864, ...
Is this a weakness in using Beaufort over modulo in one time pads?
If not, then why not reduce it to the minimum?
123, 456, 789, 0=0
My head hurts.
Thank you -- Molly J.
Hiho,
First I had no clue what you are writing about.... but ok, I had a look at the English Wikipedia :-). en.wikipedia.org/wiki/Beaufort_cipher
They refer to the idea that you have a triplet e.g. ABC which means (you encrypt A with B and get C, you decrypt C with B and get A, you encrypt B with C you get A, etc... So all these three letters form a "triplet". When you know two of them, you can deduce the 3. letter, since these triplets are unique. This is based on the reciprocal nature of the Beaufort cipher. So every possible two-letter combination is part of a unique triplet.
The question is know how to obtain the total number of such triplets having a reciprocal cipher with a table size of n? Also, how to compute the 126 with a "standard Beaufort".
Good question(s), but I have no idea :-)
This is probably something that could be discussed/evaluated more in-depth in our discord server: discord.gg/tyjbTDt6
Greetings,
Nils
can you tell me to calculate throughput , encryption time ,decryption time , efficiency of stream cipher.
Hiho, cryptool 2 is not suited and intended for benchmarking. For that purpose, dedicated frameworks exist 🙂. Greetings, Nils
Sir how can we calculate gate equivalent(GE) for LW stream cipher
Hiho,
Sorry, but I am not an expert on hardware implementations of modern ciphers as well as not on modern (lightweight) stream ciphers. If I were you, I would go for a book (and/or papers: search on scholar.google.com ) especially on that particular topic. I assume, there are standard methods how to convert code/hardware descriptions of a cipher into gates :-)
Kind regards,
Nils