Memory forensics is the collection of evidence from a computer's memory. Advanced computer attacks often leave little evidence on the hard drive. In these situations, people often pull the plug on a device. Call us first! Disrupting power can destroy evidence, and we've had extensive experience in thwarting advanced attempts at data destruction.
Evidence we can collect includes, but isn't limited to:
- Encryption Keys like TrueCrypt and BitLocker, once extracted, can be used to access encrypted file systems.
- Running Processes are simply every program running on a computer. Often, destructive malware can hide itself from the task manager, but our memory forensics methods will discover it.
- File Fragments can be accessed with memory forensics techniques that recover fragments even when the place they're stored is marked as "empty."
- Network Connection Analysis, including terminated connections, can help detect malware, acceptable use policy (AUP) abuse, insider threat, and a range of criminal activities.
- Windows Registry Hives are central locations in a Windows registry that can provide valuable information even when anti-forensic programs have attempted to scrub the registry of evidence of unauthorized activity.