The importance of acquiring and forensically analyzing RAM has been an exciting discovery in the digital forensics world. With a growing interest in RAM analysis, many tools have been developed to capture this volatile memory. Dumpit, RAM Capturer, and WinPmem, just to name a few, are all tools that can capture the live RAM of a system. While there are many programs out there to capture and analyze RAM, it is still a new technique that has not been perfected. RAM is very delicate as it is volatile and must be handled in a certain way. Even when handled properly, there are many limitations. One of the limitations is running a RAM capture executable on a locked computer, as you cannot run executables from a locked screen. The purpose of this project is to take RAM capturing a step further and attempt to find solutions to capture RAM from a computer that is powered on and was logged in, but is now locked.
Because the thing keeping us from capturing the RAM on a locked computer is the password we don’t know; if we moved the RAM to a computer with a known password we have control over, we can run the DumpIt executable that can do a RAM capture. DumpIt by MoonSols is a fusion of two trusted tools, win32dd and win64dd, put into an easy to use program.Inspired by previous work done by researchers at Princeton, we first decided to look into solutions using a cold boot attack. This cold boot attack involves freezing the RAM while it is still powered on, to retain the memory, before cutting power. Check out what they have done with it in the past here!
We decided to make a test RAM sample using Kingston KVR 1333D3N9K2 4G sticks of RAM, because that is what we had available to us at the lab. We turned on the computer and opened up a few programs: notepad, MS paint, and calculator. We then opened up the computer case, and used a can of compressed air held upside down to spray the RAM to freeze it. After about 20-30 seconds of spraying it with the compressed air, we quickly pulled it from the target computer and inserted it into our own forensic machine. We then executed DumpIt from an external thumb drive to capture the transferred RAM. We analyzed this RAM dump using the Volatility framework. Volatility Framework is a collection of open source tools to examine extracted RAM samples. Using the pslist command which shows the running processes from the RAM dump, we were able to see processes for notepad, MS paint, and calculator, showing that we were successful in capturing RAM information from the target machine.
This was a very difficult way to obtain RAM. We ran the test many times and were only successful the first time. The computer has to be powered on at the perfect moment so the RAM can be recognized and is not too frozen, but is not so defrosted that it loses information. We saw the processes the first time proving the RAM dump was successful, but we did not get them the following times. It appears that our RAM also did not retain memory as well as others do after losing power, and depending on powering on after freezing at the precise moment was difficult. There are many factors that have to be perfect for this to go right, it is unrealistic in actual practice at this time, but theoretically interesting.
Trying a slightly different method, we decided to try switching out the hard drive which contained the locked user account with one of our own hard drives with our own login information. This way we could simply log in with our own account and conduct a RAM dump. For this method, we followed the same procedure of logging into the target machine and opening up a few programs, once again: notepad, MS paint, and calculator. We then locked the account. We froze the RAM while the computer was still on, then powered off the computer, quickly traded hard drives, and powered the computer back on. When we logged in and performed a RAM dump, we were unfortunately unsuccessful. We then tried a slightly different method; we froze the RAM while the computer was still on, and then switched the hard drives while the computer was still on. We were able to reboot even quicker, and log in to perform a RAM dump. Once again, we were unsuccessful. While we tried several different variations involving freezing RAM to retain its memory, it is interesting to find although it is possible, it is unrealistic for regular case work.
Social Engineering/Cracking Passwords
The lock screen prevents a forensic examiner from running an executable to get into the user account. If we were able to figure out the password to get into the account, we would be able to run our RAM dump program and get an image of the RAM. The problem is, how do we figure out the password?
There are several ways to try and get into a system. The first being social engineering. Social engineering involves using manipulation to retrieve security information. There are many social engineering tactics which pose as security flaws. PCWorld goes over several social engineering techniques. It explains often by getting to know people, and being familiar, people often let down their guard. Because of this, you can access certain areas you should not be able to or receive personal information that could help you. The article also discusses getting information about your target, which could give hints as to what their password is. It says to look in their car, at personal desk decorations, and their online social media profile. These could give clues to who they are and what their possible passwords could be. Check out the article here!
Passwords can also be cracked through password cracking software. One example is OphCrack. OphCrack is a password cracking software that uses rainbow tables (pre-calculated hash values) to guess passwords that are less than fourteen characters. It can take some time to run, but it can catch non-word passwords, for example “aohe1aie9malsv”. This software only runs on Windows machines, however, and requires a reboot as it is run from a CD. The freezing method as explained from before would have to be used, and the same complications of making sure the RAM is frozen but not too frozen would arise again.
Using a network attack to capture RAM is a method that can be used in the case the computer is known to be on a network, such as in a work or home environment. The examiners computer must also be on the same network as the target device so that they may communicate. The ability to perform a network attack is very situational; the tools and methods used vary depending on the circumstances. Two methods were attempted to gain access to the locked machine and capture the RAM, though neither were successful. Remember that the correct legal process must be in place to access the computer over the network and bypass the locked account.
If the computer of interest is connected and authenticated to a domain, the domain administrator can log into the domain controller and reset the user’s password, allowing the examiner to unlock the computer with the account. To do this the “switch users” option must be used and the domain account user name/password must be re-entered. Once logged in, a RAM executable can be run to get a memory dump. If the password cannot be changed, for example if the domain admin account is unavailable, another user with domain credentials could login, though this would change more information in the RAM than logging in as the same user.
If the computer is not on a domain and is connected to a known network, such as a home Wi-Fi or non-windows domain, it is more difficult to gain access to the users account. This involves acting on vulnerabilities and usually involves using methods such as packet injections, DNS spoofing, and other man in the middle attacks. Packet injections involve sending network data that appears to be from a legitimate source, but isn’t, and drops a payload onto the system. DNS spoofing reroutes network traffic away from a legitimate site to the site with a payload, usually malicious. These are both man in the middle attacks and are named so as they involve intercepting and manipulating data sent from and to the target machine. Remember that these attacks do modify items in the volatile memory and usually still require some sort of user interaction, which is not possible when a computer is locked.
The only method we theorized would work is if the computer was set to auto update at a known time, a DNS reroute could send the computer to access a package containing an unlocking payload from what it thinks is Microsoft’s update servers. The issue with this attack vector is that the user would still have to install the package once it was downloaded. This would require having another computer on the same network with a router and the necessary software toolkit to perform the attack in full. With this level of complexity and small range of effectiveness, it reinforces how the ability to gain access to the machine becomes very situational.
We have been unable to find a practical solution that is easy to do, time realistic, and cost efficient for capturing RAM on a locked computer. There are many methods, however; it is unrealistic to apply one of these when working on a forensic case.
We at the Senator Patrick Leahy Center would love to hear your feedback! Do you have an idea for a method that would work? Have you ever attempted this and found a good solution? Post your responses to our Facebook page or visit our blogs for more!