上QQ阅读APP看书，第一时间看更新

How to do it...

The steps for Windows memory image analysis using Belkasoft Evidence Center:

To do that, click on New in the Open Case window. Now you need to fill in a few fields:
- Case name - Usually, we use the case number and year for case names, but this time, as it's being created for testing purposes, we will name it Belkasoft Memory Forensics Test.
- Root folder - Here, you should choose the folder where the case data will reside. In our case it's D: drive.
- Case folder - This field will be filled in automatically based on the two previous fields, so in our case, it's D:\Belkasoft Memory Forensics Test.
- Investigator - Type your name in this field.
- Time zone - Choosing the right time zone is very important. If you already know the right one, choose it. If not, we suggest choosing UTC +00:00. In our case, we know the time zone, so we can use the correct one (UTC + 03:00).
- Description - If you want to add a description to your digital evidence item, here is the field to do it. We used the following description: Parsing a memory image created with Belkasoft Live RAM Capturer for testing purposes.

Figure 2.4. Creating a new case in Belkasoft Evidence Center

Click OK and you will see the next window - Add data source.

Belkasoft Evidence Center supports different kinds of evidence sources, from physical drives and drive images, to mobile backups and, of course, memory images, including pagefile.sys and hiberfil.sys.

As we are talking about memory forensics now, let's choose the image we previously acquired with Belkasoft RAM Capturer as the data source.

Figure 2.5. Adding previously acquired memory image as data source in Belkasoft Evidence Center

Click Next to choose the data types you want to search for. For testing purposes, we chose all available data types, but you can choose those you really need, to reduce processing time.

Don't forget to go to Advanced options and enable BelkaCarving - it will help you to recover fragmented data, for example, pictures.

Figure 2.6. Choosing data types in Belkasoft Evidence Center

OK, we are ready to start parsing the memory image - just click Finish.

It took BEC about an hour to parse and carve the image, and we got impressive results: 9728 web browser artifacts, 2848 pictures, 74 chat artifacts, and so on.

Figure 2.7. Results of memory image processing with Belkasoft Evidence Center

As you can see, you can extract quite a lot of valuable digital artifacts from a memory image with just a few clicks - so, if you have access to a running system, make it a rule to capture the memory image. This may help you, for example, to recover browsing history from anonymous tools such as Tor Browser, which are widely used among criminals, as well as other important digital artifacts which may reside only in volatile memory.