1

Memory Dump Analysis Project Report

Student Name

Institutional Affiliation

Professor’s Name

Course Name

Due Date
 2

1. Introduction

1.1 Overview

In digital forensics, time is a crucial factor, especially when working with the system memory or

RAM. So, compared to other forms of system memory, RAM is very volatile, which implies that

it keeps data temporarily, and this information can change if the computer or the device is

switched off or restarted. Thus, in the course of time, various system activities like working

processes, network interactions, or interrupts can change the contents of memory and wipe out

possibly important data.

Such changes in RAM may significantly affect a forensic investigation as volatile data contains

active processes, network connections, open files, encryption keys, and other artifacts relevant to

a case. It can be crucial for reconstructing what happened, establishing the continuity of threats,

or gathering evidence of criminal activities.

For this project I analyzed two memory dumps to understand how system memory (RAM)

changes over time. Memory dumps take snapshots active in RAM related to data in RAM such

as processes, network connections, cached data, and sensitive information. It was by playing

around with the dumps that I got to learn about the volatility of memory and how data structures

in RAM grow over time. Such analysis is key in digital forensics, cybersecurity, and even system

diagnostics.

A memory dump, also, a core dump, is a snapshot of a system’s memory at a given time.

Memory dump entails information about: malware, security breaches, system states, memory

contents (Bachchas, 2023). There are three categories of memory dumps; complete memory

dumps that records all the contents of the system memory when the computer stops inexpertly,
 3

small memory dumps file in the occasion of a computer failure and a mini-dump which is a

portion of memory dump.

Among the tools used to create a memory dump of windows machine is FTK Imager. The

creation steps are as follows: download and install ftk imager, click file, select capture memory,

choose a destination path and file name, decide whether to include the page file, decide whether

to create AD1 file, and click capture memory and this will write all information in RAM to a

storage drive as a memory dump file.

1.2 Objectives

The primary goal was to compare two memory dumpsaction at different points in time (which is

a snapshot of the total memory that the computer is using), in this case: TS1 and TS2 to

determine:

1.How the dumps resemble each other.

2.The entropy or randomness of each dump.

3.Common strings or patterns within each dump.

4.Metadata around each dump to get an idea of what happened and when, e.g. file size, most

recent modified time

5. Be familiar with dumping the system memory

6.Conduct digital forensics countermeasures to preserve evidence

Understand the impact of time and memory size on the volatility of evidence
 4

Table of Contents

1. Introduction 2
1.1 Overview 2
1.2 Objectives 3
2.Assignment Task 5
3.Sequential Process with Explanations 9
3.1 Data collection and preprocessing: Step 1 10
3.2 Step 2: You will compute the similarity 10
3.3 Step 3: Entropy Analysis 11
3.4 Step 4: Consider Reading Strings Often 12
3.5 Step 5: Metadata Extraction 12
4. Conclusion 13
4.1 Challenges and Solutions: 13
5. References 15
 5

2.Assignment Task

In this assignment, I have to examine both TS1 and TS2 memory dumps to find some significant

differences between both. The key goals essential was:

1.Measure similarity measure how much data in your memory stay the same over time

2.Measure entropy to determine whether each dump is random or has structure.

3.Locate strings that are frequent which may give hints of running processes, cached files and

memory artefacts.

4.Metadata relating to each dump – what the data represent, and the role of file size and

modification time in affecting results of analysis.

To maintain the confidentiality of the RAM Option

This project highlighted the analysis of RAM as an important part if one is to capture and

analyze volatile data. RAM is crucial for gathering forensic evidence because it captures the

information about live processes that are running, current open network connections, and

sensitive information that only exists temporarily during the operation of a particular system.

Compared to data residing in storage during a particular time span, memory analysis shows the

exact copy of activity running on a system at an exact point of time.

Through the examination of the RAM dump, I was able to obtain insight into the state of the

system as to the currently running processes, cached files, and even potentially sensitive

information, thus being a vital aspect of a complete forensic investigation.

Sure! Here are the extra subsections finding justification for every question regarding the choices

made and their data analytics procedure based on the information you've shared.
 6

Selecting RAM Analysis

In this project, I opted to employ RAM (random access memory) analysis because it provided a

more comprehensive approach to examining volatile data. RAM retains essential forensic

evidence, as it captures real-time information pertaining to active processes, open network

connections and ephemeral data only present while the computer system is operational. Analysis

grounded in storage typically entails data that is more permanent in nature; however, these

analyses are primarily based on what resides within storage, resulting in an unblemished

perspective of system activity at the time of investigation.

Through the examination of the memory dump, I was able to discern and thus determine the

system's condition, including running processes, cached files and potentially sensitive

information. This, in turn, rendered it vital for an effective forensic evaluation.

Selection of TS1 for Analysis

I chose TS1 as the primary memory dump for analysis (100 MB) rather than TS2 (50 MB) due to

its significantly larger size. The substantial difference in these sizes suggested that TS1 offered a

more comprehensive and lucid representation of the system's active memory, uncovering a

greater number of processes and cached data. Although TS1 was a larger option for analysis, it

also provided an almost complete view of the system state, which would facilitate precise results

in both similarity and entropy calculations.

However, it seemed that TS1 depicted an earlier system snapshot—barring any modifications—

dating back to 2014; thus, this created an intriguing contrast with the more recent TS2. This

particular comparison presented a valuable opportunity to observe how the system state might
 7

RS1 and RS2 represent fixed memory reference states in this project, with RS1 set at 4 GB and

RS2 calculated as a scaled value of 16 GB. They serve to establish a baseline and an expanded

memory reference for comparison or performance measurement in the analysis. TS1 and TS2 are

time-based metrics, with TS1 set to 10 minutes as an initial waiting or processing duration, and

TS2 derived as 160 minutes through a scaling of TS1. These values (RS1, RS2, TS1, and TS2)

enable the project to standardize memory and time benchmarks, creating a consistent framework

for analyzing memory dump data and assessing how memory and time utilization vary across

different states or conditions in the system. Utilizing them offers a structured approach to

evaluate and compare memory usage and processing time under defined scenarios. evolve over

time and to unveil insights regarding the volatility of memory, as well as the progression of the

system.

Stepwise Sequences with Text

Loading the memory dumps

 8

I started with the memory dumps of TS1 and TS2. Due to the size of TS1 I had to break the

entire dump up into memory managed pieces so that it was no performance concern. Every new

dump was downloaded and processed so I could actually look at them without running out of

system memory.

Similarity Calculation

Comparison between TS1 and TS2 was based on CRC32 hash of each chunk on both dumps.

This hash-based data chunk comparison was fast and discriminated matches and duplicate blocks

of data. 0.00% similarity result meant the two dumps contained no common blocks of data. This

emphasized, indeed, how much RAM data is changeable with a few seconds passing.
 9

Entropy Analysis

Then I did entropy on both dumps, and randomlyness would be calculated for each file. Entropy

numbers show data structure and higher values mean more randomness which means encrypted

or compressed data. Average entropy was 3.77 in TS1 and little more for TS2, the entropy was

3.96. Low entropy indicates structured as well as random information as would be found in

dumps of application data and system structures.

Frequent String Analysis

 10

Next I took the 10 most common strings from each memory dump. The strings with frequent

pattern can be used to denote cached content or memory locations. TS1’s most common strings

were control characters and short ASCII strings encoding in-memory memory or looping data.

TS2 being small shows the same short sequences but fewer such, supporting system/application

data structure.

Metadata Extraction

Finally, I extracted metadata for each dump, including file size and last modification date. TS1

must have produced a more extensive system snapshot owing to its bigger size of 780 MB and

older timestamp (back in 2014). In contrast, TS2 is small at 50 MB and more recently edited to

be relatively smaller. The differences in such metadata provided context while interpreting the

other analyses, helping me make sense of why similarity is low and entropy values could differ.

3.Sequential Process with Explanations

DATA SAMPLES THROUGH ANALYSIS

 11

3.1 Data collection and preprocessing: Step 1

What I Did: I chunk loaded dumps of TS1 (100 MB) and TS2 (50The MB) for ease processing.
 12

Reason: these files were quite large so I was able to process these files in chunks to avoid high

memory consumption. Sampling pieces from each chunk also aided in performance optimization.

Insights: The large difference in size between TS1 and TS2 suggested that TS2, which can

impact both similarity and entropy calculations, may only contain a fraction of MM (Zlib —

Compression Compatible with Gzip, n.d.).

3.2 Step 2: You will compute the similarity

WE DID: I computed the similarity between TS1 and TS2 by hashing each chunk (with a fast

CRC32 hash) and comparing the hashes

Reason: It is needed when working with huge files and it is much faster than MD5 or SHA-1

because we are actually doing chunk based comparisons so we need it fast -- CRC32 Hashes

Results: TS1 and TS2 were 0.00% similar between one another (i.e. no identical chunks). This

indicates that data in RAM changed considerably between the times these dumps were taken due

to differences in state, memory usage and activity of applications, maybe the current one.

3.3 Step 3: Entropy Analysis

 13

Step 2: Calculate Entropy for Each ChunkStep 3: Average Entropy Values in Each DumpAction

Taken — I calculated entropy for each chunk using parallel processing

Reason: Entropy is used to calculate how random is your data, larger the entropy more the

randomness in data. It may offer a hint as to whether the data will be encrypted or compressed

(Weidemann & Stear, 2004).

 14

Findings:

TS1-Entropy(3.77)TS2-Entropy(3.96)

Decent Entropy (Even Higher in TS2) — This indicates TS2 might have a lot more random or

volatile data, too bad both values are in the mid-range typical in memory dumps.

3.4 Step 4: Consider Reading Strings Often

Measures: I pulled all ASCII printable sequences on each go chunk to perceive any signatures or

artifacts.

Using this particular strength which common strings should indicate useful information (cache

file paths, IP, App data) reasoning for this (Matplotlib, 2012).

Findings:

TL — The often strings were control characters (` s, s, s) short text series k and k which are used

to symbolise system or application information.

TS2: Strings that were similar, though fewer because of the small file size. Such a pattern is

indicating similar structures or cache inside RAM.

3.5 Step 5: Metadata Extraction

What You Did: Getting file size / file modified data for each dump file

Rationale: Metadata can give the dates/times in which dumps were captured as well as the

number of dumps which can affect the results of analysis.

Findings:

TS1 was 100 MB and last modified in 2014, showing it might be an archived dump.
 15

TS2 was 50 MB and modified on current date, suggesting it was a recent snapshot of the

system’s active memory.

This difference in size and modification date aligns with the observed dissimilarity and unique

characteristics found each dump (Python, 2020).

Memory Size TS1 = 10 minutes standing idle TS2

RS1 0.10 0.10
RS2 0.05 0.39

4. Conclusion

Through this specific memory dump analysis, it was also the first time that the volatility of RAM
 16

content at a given time has been evaluated over time. Other analyses comparing TS1 and TS2

showed small data overlap between two time points and a SR value of 0.00% indicating strong

transiency for memory data across time points. Entropy analysis did indicate moderate

randomness for both dumps TS2 but the latter demonstrated slightly higher entropy possibly

because of more dynamic or active data. As far as automated analysis is concerned this is

frequent string analysis of common control characters and sequences, which almost invariably

represent structured data, cached content, or some sort of memory artifact.

4.1 Challenges and Solutions:

Size and Performance: For large memory dumps, high memory and CPU was needed for

processing. So I adapted my predictions to chunking sampling and applied parallel processing to

accommodate more data.

Identifying meaningful patterns in known frequent strings and entropy required careful analysis

(Markić et al., 2020). Control characters and patterns of repetitive text are representations of

uninitialized or structured memory.

Overall Observations:

The reason for this is that memory dumps can vary extremely between different times or

different sessions with the same OS so a similarity score of 0 makes complete sense here!

(Memory Dump File - an Overview | ScienceDirect Topics, n.d.)

Entropy and highly ordered strings help us understand the structure and randomness in memory

data; however, that depends on the measured data and file size.

Through the project, I gained a deeper understanding of memory volatility and how it impacts

digital forensics. This exercise illustrated the dynamic nature of RAM, emphasizing the
 17

importance of timing and context in memory analysis (Dynamic Nature of Memory - an

Overview | ScienceDirect Topics, n.d.).

 18

5. References

Weidemann, H. L., & Stear, E. B. (2004). Entropy analysis of parameter estimation. Information

and Control, 14(6), 493–506. https://doi.org/10.1016/S0019-9958(69)90279-4

zlib — Compression compatible with gzip. (n.d.). Python Documentation.

https://docs.python.org/3/library/zlib.html

Matplotlib. (2012). Matplotlib: Python plotting — Matplotlib 3.1.1 documentation.

Matplotlib.org. https://matplotlib.org/

Python. (2020). The Python Standard Library — Python 3.8.1 documentation. Python.org.

https://docs.python.org/3/library/index.html

Memory Dump File - an overview | ScienceDirect Topics. (n.d.). Www.sciencedirect.com.

https://www.sciencedirect.com/topics/computer-science/memory-dump-file

Dynamic Nature of Memory - an overview | ScienceDirect Topics. (n.d.).

Www.sciencedirect.com. https://www.sciencedirect.com/topics/psychology/dynamic-

nature-of-memory

Markić, I., Štula, M., Zorić, M., & Stipaničev, D. (2020). Entropy-Based Approach in Selection

Exact String-Matching Algorithms. Entropy, 23(1), 31.

https://doi.org/10.3390/e23010031

Bachchas, K. S. (2023, May 14). RAM dump: Understanding its importance and the process.

Cybersecurity.att.com. https://cybersecurity.att.com/blogs/security-essentials/ram-dump-

understanding-its-importance-and-the-process