How to forensics a memory image(RAM) to know currently opened urls by browser

forensics

(anshav) #1

https://www.cfreds.nist.gov/mem/Basic_Memory_Images.html

If you go to above page, you will find below written

** xp-laptop-2005-06-25:
** xp-laptop-2005-07-04:
Windows XP installed on a Toshiba laptop connected to a network

The image from June 25th was running Firefox and had recently
been pointed mit.edu. It was also running Internet
Explorer pointed at nytimes(dot)com

The image from July 4th was running Firefox and had recently
been pointed to w3(dot)org

as above mentioned how could I find currently opened URL mit.edu/ by firefox and nytimes.com/ by IE at the time of dumping memory?.
Also I tested in my windows 10 pro. I opened firefox and navigate to page facebook.com and dumped the memory then used it with volatility to examine recently opened urls.
I used yara tools with volatility framework 2.6. But no success. Received error such as plugin conflicts. Does anyone expert in using volatility tool. Please guide.


#2

Well, with no error messages and without my crystal ball, no way to know what’s going wrong. You could try a quick grep of the human-readable strings, though.

If the problem is you half-installed volatility over an existing install and you don’t actually want to work out what’s wrong, probably easiest way is to make a new Remnux VM. Shouldn’t take very long.


(anshav) #3

Actually, I created image of RAM(memory) from inside my running windows 10 with the help of RAMcapture tool and FTK imager with both. Then I copied that memory image to SANS SIFT VMware that is forensic OS(Downloaded from SANS website) built on ubuntu by SANS. This SANS VM already have latest volatility installed. I tested on it. Before testing I searched on google for tutorials and I found one with yara option to use but I receive errors such as plugin conflicts.
Checkout this video you will understand https://www.youtube.com/watch?v=6dTEtPb5eAo
Same question asked by someone else on this github, same errors received by me. Last comment is mine in the github.
https://github.com/sans-dfir/sift/issues/218

I mean if there is another way to complete above mentioned task as given on govenment site. because other tools are paid not free. if someone already done RAM forensics with other method can guide.


#4

Well, looks like there’s a stack trace and the exact line there was a problem. Sounds like a good time to submit a pull request.


(system) #5

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.