Security

Belkasoft Live RAM Capturer

This project utilizes Belkasoft Live RAM Capturer to capture live RAM from a system, as well as using WinHex to examine it.

First, I went to https://belkasoft.com/ram-capturer and asked for permission to use the product.

After a few hours, I was sent an email to be able to download the product. After downloading, I opened the Belkasoft RAM Capturer program.

I first followed the instructions in the assignment and attempted to send the RAM data to my work folder; unfortunately, this did not work as it said there was not sufficient space. A memory file did appear, but once opening it up in WinHex, nothing showed.

Next, I created a folder on my desktop to be used for the RAM dump.

After waiting a long time for the RAM dump to process, I opened up WinHex.

Once I opened the RAM dump in WinHex, I was still unable to get anything to show correctly.

After running the RAM dump several times and trying to open it in WinHex, I became frustrated as nothing seemed to work. Next, I noticed in the RAM dump message that I could use Belkasoft’s Evidence Center to analyze the data. So, I then requested a trial. Once approved, I downloaded the program and opened it.

Next, I created a new case and loaded the RAM dump file.

Once I loaded and ran an analysis on the RAM’s contents, I found a significant amount of information from my RAM, including over 1332 browser entries, 1762 system files, and 176 pictures.

I started to play around with the program and found, using searches, several additional entries.

Overall, I had great difficulty with this project as I could not figure out how to get WinHex to show the contents of the RAM dump. I must have been doing something wrong. But, in computer forensics, failing is not an option. After performing some steps not listed in the project, I was able to see my RAM’s image and clearly decipher what sites, images, and files were stored on it at the time of analysis. The Belkasoft Evidence Center is a fantastic product; the feeling I received once I finally began to see my collected data was of sheer excitement. I was still able to perform searches on the RAM’s content, just not through using WinHex; I realize this may mean that I failed my task of completing this assignment, but I honestly tried for hours to get it to work.

            Now that I feel that I collected and analyzed a live image of RAM, I am confident in my abilities to perform this action in the real world. The Belkasoft Evidence Center, while I am only using a trial version, seems to be quite adequate in several tasks required in forensic investigations. Once I submit this assignment, I am going to keep trying to get WinHex to work, as well as explore what else Belkasoft Evidence Center can do. While this assignment certainly caused a lot of stress, I am happy I didn’t give up and choose a different task to do; I might get a worse grade, but I learned how to utilize various programs and methods to achieve the same results.

            If I had known about the ability to capture RAM data earlier, I would have been able to more effectively deal with a situation we had at work a while ago. A new employee stole my boss’s credit card in his first week of employment, thus racking up several fraudulent charges. As the employee was helping our office manager with the organization’s finances, he had access to all of our sensitive information. During the investigation, I collected everything I could from his computer but recognized that he tried to cover his tracks as much as possible. Collecting data from his RAM would have strengthened our case against him. This project was an excellent experience for me, and while I failed in some aspects, I feel that I achieved the same result, only using a different program.

Reference

Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to Computer Forensics and Investigations. Boston, MA: Cengage Learning.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s