In today’s Digital Forensic Tool Evaluation class we were using FTK Imager. I walked the class through the fundamentals and then through some of advanced features. I was very happy with the questions I was getting – this really shows that the students were “getting it”.
That said I wanted to share a fun story from class – When I demonstrated how to dump RAM, the students, who were all Sophomore computer forensic majors, were very excited to use a tool that can so easily gather volatile memory. Dumping all 16GB of RAM from the lab computers took about 5-10 minutes. During this time we discussed the types of artifacts you could uncover from RAM. Considering this is a tools focused class we really don’t get into forensic methodology or analysis techniques but this case we deviated from the normal course plan.
As soon as the RAM dump was complete, we added the memory file into FTK Imager and started string searches. I instructed the students to search for their last name – and all of them were able to find a string that was responsive.. Then it happened – “Hey Professor Rajewski, I just found my password” – And I then smiled at the students and said, “welcome to the fun world of digital forensics”. It was amazing as a Professor to allow the students to explore their first RAM dump and just “find things”. I then gave a brief impromptu lecture on why you would find plaintext passwords in RAM and how it could be a security risk etc. I also connected in the new Passware product and which is related to the concept of cold boot (Lest We Remember: Cold Boot Attacks on Encryption Keys) plus knowing how to directly access ram from FireWire. The cool part is – what Passware is doing is old news to seasoned forensicators – however – it’s extremely innovative – they bundled up rather complicated process into a nice solution that any digital forensic / incident response professional with some training could accomplish.
Students left this class very excited and some of them even said they “feel like they need to change their password”. Most of them are taking my Anti-Forensics and Network Forensics course and we will be discussing cryptology in the next few weeks. During this section we will revisit the concept of exploiting RAM for user credentials/full volume encryption keys etc.