How to analyze RAM through Kali Linux Forensics mode

crwdns2944109:0crwdnd2944109:0Jacob Mehnertcrwdnd2944109:0crwdnd2944109:0crwdnd2944109:0crwdne2944109:0

crwdns2944111:0July 11, 2022crwdne2944111:0

2.5K

crwdns2942659:0crwdne2942659:0

crwdns2942661:0crwdne2942661:0

3

crwdns2942663:0crwdne2942663:0

7

crwdns2942665:0crwdne2942665:0

32

crwdns2942667:0crwdne2942667:0

2,453

0

crwdns2942685:0crwdne2942685:0

crwdns2947416:0crwdne2947416:0

1

crwdns2944093:01crwdne2944093:0

crwdns2942675:0crwdne2942675:0

0

crwdns2942689:0crwdne2942689:0

crwdns2942679:0crwdne2942679:0

crwdns2931287:02crwdne2931287:0

crwdns2942711:0crwdne2942711:0

crwdns2937799:0crwdne2937799:0

crwdns2942631:0crwdne2942631:0

crwdns2944444:0crwdne2944444:0

crwdns2944446:0crwdne2944446:0

crwdns2915892:0crwdne2915892:0

crwdns2942287:0crwdne2942287:0

Much like how a memory analysis can be done on a hard drive, memory analysis can also be done on RAM modules. Because RAM is a volatile memory source, which means as soon as it is turned off it will loose data.

However, one of the cool things that can be done with memory analysis is that a user can recreate what was happening when an issue occurred by using the Volatility application.

crwdns2942213:0crwdne2942213:0

crwdns2943213:0crwdne2943213:0

• 

  USB Flash Drive

  crwdns2943225:0crwdne2943225:0

  crwdns2931591:0Amazoncrwdne2931591:0
  crwdns2915696:0crwdne2915696:0

crwdns2943215:0crwdne2943215:0

• 

  Volatilitycrwdns2931591:0Volatility Foundationcrwdne2931591:0
  crwdns2915696:0crwdne2915696:0

crwdns2944105:0crwdne2944105:0

crwdns2943227:0crwdne2943227:0

crwdns2931653:01crwdne2931653:0 Plug in your Live Kali Linux USB

• Plug in your Live Kali Linux USB into your computer and restart your PC.
• Once your machine is finished restarting you should see Kali's Boot Loader.
crwdns2913378:0crwdne2913378:0
crwdns2934285:0crwdne2934285:0
crwdns2934285:0crwdne2934285:0
crwdns2917038:0crwdne2917038:0
1024
crwdns2891542:0crwdne2891542:0 crwdns2934287:0crwdne2934287:0
crwdns2931653:02crwdne2931653:0 Choose Live (Forensic mode)
• Choose Live (forensic mode) from the list of options.
• This will take you into the forensics mode, which contains the tools and packages needed to preform system forensic needs.
crwdns2913378:0crwdne2913378:0
crwdns2934285:0crwdne2934285:0
crwdns2934285:0crwdne2934285:0
crwdns2917038:0crwdne2917038:0
1024
crwdns2891542:0crwdne2891542:0 crwdns2934287:0crwdne2934287:0
crwdns2931653:03crwdne2931653:0 Open Kali's command line Terminal
• Press Ctrl + Alt + T to open the Terminal Interface.
crwdns2913378:0crwdne2913378:0
crwdns2934285:0crwdne2934285:0
crwdns2934285:0crwdne2934285:0
crwdns2917038:0crwdne2917038:0
1024
crwdns2891542:0crwdne2891542:0 crwdns2934287:0crwdne2934287:0
crwdns2931653:04crwdne2931653:0 Navigate to Volatility's directory
• Navigate to the Volatility directory with the command: cd /usr/share/volatility
crwdns2913378:0crwdne2913378:0
crwdns2934285:0crwdne2934285:0
crwdns2934285:0crwdne2934285:0
crwdns2917038:0crwdne2917038:0
1024
crwdns2891542:0crwdne2891542:0 crwdns2934287:0crwdne2934287:0
crwdns2931653:05crwdne2931653:0 Search for the RAM's profile
• Search for the RAM's profile with: python vol.py imageinfo -f=<location of image file>
crwdns2913378:0crwdne2913378:0
crwdns2934285:0crwdne2934285:0
crwdns2934285:0crwdne2934285:0
crwdns2917038:0crwdne2917038:0
1024
crwdns2891542:0crwdne2891542:0 crwdns2934287:0crwdne2934287:0

crwdns2862417:0crwdne2862417:0

crwdns2935291:0crwdnd2935291:01crwdnd2935291:0crwdne2935291:0

Jacob Mehnert

crwdns2935283:010/18/21crwdne2935283:0

39.610 crwdns2915208:0crwdne2915208:0

crwdns2935297:050crwdne2935297:0

crwdns2918514:0crwdne2918514:0: 51

• 
• 
• 

crwdns2935301:048crwdne2935301:0

crwdns2915084:0crwdne2915084:0

iFanatics crwdns2935289:0iFanaticscrwdne2935289:0

Community

crwdns2931471:061crwdne2931471:0

crwdns2935297:0194crwdne2935297:0

crwdns2942557:0crwdne2942557:0

crwdns2942955:0crwdne2942955:0

crwdns2852917:0crwdne2852917:0