It’s a Thursday evening, and happy hour begins in a few minutes. You’re ready to get out of the office, as quickly as possible. You’ve been working on a report, and you know you still have work to do in the morning. So you lock your machine. It’s safe enough, right? You’ve got a strong password and full disk encryption. Ophcrack or a bootable Linux distro like Kali won’t work. You’d think you’d be fine, but you’d be wrong. More and more, attackers are using blended attacks to get the good stuff, and that includes utilizing the latest in forensic techniques.
There is a single section of your computer full of unencrypted sensitive information any attacker would love to get their hands on: your active memory. The system stores all manner of valuable information in memory for easy reference. Full disk encryption mechanisms must store encryption keys within memory somewhere. The same is true for Wi-Fi encryption keys. Windows keeps the registry hives in memory, and consequently the System and SAM hives. Most clipboards are stored within memory. Many applications keep passwords within memory. The point is, memory houses much of the valuable information that the system needs at a moment’s notice. Getting to it requires using some of the same forensics techniques employed by attackers. This article helps add some of those techniques to your pentesting toolkit.