Forensic Report Sample:Volatile Memory Acquisition using FTK Imager Lite

This is a sample forensic report of Volatile Memory using the tool “FTK Imager Lite by AccessData”. This procedure is used by investigating agencies to log each step in evidence acquisition process, and the report is presented in the court for the hearing.

FTK Imager Lite by AccessData

Scope of Work

On Feb 14, 2019, Mr Gaitonde contacted us to investigate his Desktop computer running Windows 10 Home Version 1803,which belonged to one of his employees. Integrity and accessibility of data acquired was of primacy. He is also requesting a report for possible criminal charges & civil litigation.

Abstract

In a reputed Organization, a system in the Finance Department office containing sensitive data, crashed frequently. Investigation purpose is to identify the type of this incidence by gathering diagnostic information at the time of a crash and learn more about the event.

The RAM dump was created while system was running along with images of files like pagefile.sys, swapfile.sys and hiberfil.sys. After the images were created, their hash value was calculated to prove data integrity in future.

Acquisition Details

Contents of RAM are of paramount precedence under Data Acquisition as the content of RAM is lost the minute a computer is turned OFF. To acquire the RAM dump,FTK Imager Lite by Access Data is used. The FTK Imager is a simple but concise tool. It saves an image of a data dump in one file or in segments that may be later on reconstructed. This dumped data includes pagefile.sys data too, hence capturing virtual memory dump too. It can calculate MD5 hash values and confirm the integrity of the data before closing the files. The result is an image file(s) that can be saved in several formats, including DD raw. This file can be an AD1 file for backup/later-on usage purposes. The acquired data includes:

§ Processes

§ Information about open files and registry handles

§ Network information

§ Passwords

§ Cryptographic keys

§ Unencrypted content

§ Hidden data

§ Worms and rootkits written to run in memory

Chain of Custody

CASE NO: C001

Fig-1: The Suspected System’s Details.

Mode of Operation

Investigator followed the SOP defined, and stayed compliant to the policies followed by Data Owner Institute. Following are the steps underwent:

Step 1: Run Portable FTK Imager Tool on the victim’s machine.

Fig-2: Launch FTK Manager Tool

Step 2: Initiated Memory Capture

Fig-3: Initiate Memory Capture

Step 3: Set Destination Path to save the Memory Dump and Choose to include Pagefile.sys

Fig-4: Set Destination Path

Step 4: Start Memory Capture and observe the status/progress.

Fig-5: Started Memory Capture: Dumping RAM

Step 5: Memory Capture Dumping PageFile and completed successfully.

Fig-6: Started Memory Capture: Dumping PAGEFILE

Fig-7: Memory Capture Finished Successfully

Step 6: Capture Hash for both the files and store them securely.

Fig-8: Hash Calculation and Output Result.

So this is how a forensic report of volatile memory looks in a report, and how to extract data from volatile memory using FTK Imager Lite.