Memory Forensics and Incident Response: Why it’s needed.

Memory Forensics and Incident Response: Why it’s needed.

Memory forensics and why it’s so important to incident response


Memory Forensics is the process of analyzing volatile data living within a computer’s memory dump. Everything in the computer system move across RAM (Random Access Memory). 

  • Processes and threads
  • Malware 
  • Network Sockets, URLs, IP Address
  • Open Files 
  • User – generated content 
  • Passwords, caches, clipboards
  • Encryption Keys 
  • Hardware and Software configuration 
  • Windows registry keys and event logs 

RAM handles communication and enables things to get done between the CPU, Operating system. There are big advantages to conducting memory analysis like identifying malicious software activitiy, analyzing and tracking recent activity on the system and also collecting evidence that cannot be found anywhere else (Super value). 

As you can see, It will be very difficult for malicious actors to get away cleanly with so many foot prints left in memory. 

My #GCFA Training and Exam Experience

My #GCFA Training and Exam Experience

Training Journey

What a long journey It was preparing to take the GIAC Certified Forensic Analyst (GCFA) exam. I purchased this training while still pursing my masters’ degree at East Carolina University this year. This was a mistake because you only have 4 months to complete OnDemand training and take the test. After graduating I was able to start training for the #GCFA exam. I was very surprised how advanced the course material was which blew my mind. I took the first practice exam in October 2019 and scored 45%, second practice was taken November 2019 and I scored 42% on that. Before the first practice test, I purchased two extensions ($389 apiece) and was granted a third due to hurricane here in NC over the summer. Three extensions (adding 45 days each time) gave me plenty of time to study and go through the material multiple times and I did. I purchased a third practice exam and took it and scored 52% on 12/15/2019. Exam day was set for 12/28/2019. I continued to study for the next two weeks

           I would make sure that you tab your book heavily and put every single term, tool and artifact in your index. You will need to watch the training videos at least two times. I think that the instructor could have been a little clearer in his explanations. The video delivery software could be a little bit better. Do not be afraid to look outside the course for extra resources. In my opinion, doing the labs and tabbing your books would be more beneficial above anything. Know your tool output! Overall the information is packed into this course tightly.

           Please make sure you study with all your ability because SANS training, exams (GIAC) and even practice exams are extremely pricey to purchase. It will not serve you well to rush through the material. My advice is to take your time and really learn the material. I encourage you to use all the study time you have to properly prepare for this exam. It doesn’t matter that the test is open book because between reading a question, looking at your index and possibly the book, you simply will not have a lot of time to do that on every question. The questions are not tricky. It’s either you know it or don’t. You need to know a great deal of the material in order to pass. You need to understand the windows OS well and you need to understand NTFS timestamps without looking this information up too much.

Exam Day Experience

           I was feeling very confident even with the poor practice exam scores. I have built a pretty good index as I was instructed to do so by multiple people. I carried all of the SANS books along with the index and posters into the testing center. I was told that the posters were too big and couldn’t go into the room. I made the mistake of having the posters laminated. Some Advice here, wait to laminate the posters after testing with them. The exam was multiple choice and that do not make it any easier. Some of the questions presented on screen to me were jumbled up.

It’s very important to understand that the questions are not tricky, but some are not clear in what they are asking. Time was my enemy. I had to rush a lot of my answers therefore you must know your material with confidence. After months of studying, I still came up with a 61% (71% was the passing mark). I guess I did a lot better on the actual exam compared to the practice exams. The actual exam started off so well and because of that I’m not 100% sure what went wrong. I really feel the failure was due to rushing and trying to over verify a lot of the answers I chose. I took this exam and completed the training with no prior experience in digital forensics. With that being said, I still feel anyone can succeed at passing the exam and I’m sure the next time I will be successful in my endeavor!

Good luck to all!