Computer Forensics: RAM Capture Device

MatthewForensics, View All

Automated RAM Capture Device

For my senior project at Cal Poly Pomona, my team and I looked towards a renown Digital Forensics Specialist, Dr Gregory Carlton, for our assignment. After thinking it over, he gave us a very challenging task: create an automated RAM capture device that could be used on a live Windows 10 workstation to capture voltatile memory and anaylze it to attempt to locate or crack the encryption key. This is a very big issue within Digital Forensics, as an encrypted machine is unbreakable without the passwords or the encryption key, which is only stored in RAM while the machine is on.
My team was not afraid of the challenge. Initially we had tried using a regular USB drive and an autorun.inf file, but Microsoft was already 3 steps ahead and had patched vulernabilities in AutoRun features, especially from USB devices. So we went back to the drawing board. It looked like we had hit a dead end, when suddenly we had a revelation.

What if we used a device that acted like a keyboard?

Enter the Rubber Ducky:

  • What is the Rubber Ducky?
    The Rubber Ducky is a Human Interface Device (HID) with a brain. It uses a keyboard manufacturer chipset to fool an unsuspecting computer into thinking it is a keyboard, which it then uses to inject a payload onto the computer. It can execute up to 10000 commands per second, and is able to run its payload in a .bin file, which can be encoded using its open source encoder, and by writing scripts in a simple scripting language. With such a powerful little device at our fingertips, we knew we had found the device we needed.
  • How we used it
    We used the Rubber Ducky to our advantage. I was personally responsible for writing the script, which took hours of painstaking effort, and well over 50 iterations of code. I managed to write a script which would open the Run interface in Windows and successfully run an executable RAM capture program located on the Ducky, bypassing User Access Control. From there, the script automatically entered parameters into the RAM capture program (we used MagnetRAM), and started the RAM capture, all without human intervention.
  • The Rubber Ducky's Footprint
    In the field of Digital Forensics, it is critical that evidence is captured exactly as it is found, to prevent tampering. Even turning off a computer can change it. In cases where there is a good chance that collecting evidence as-is would be useless (ex: an encrypted workstation), an examiner uses the least intrusive method possible of collecting useable evidence. When plugging in our Ducky, the registry values on the computer change. We analyzed and documented these changes so that we know exactly how the Ducky impacts a workstation.
  • After the RAM Capture
    After automating RAM capture, we began analyzing the RAM for our "pot of gold", which is the encryption key. We tried using many different tools, including industry-standards such as Forensic Toolkit (FTK), EnCase, & Autopsy, but they all had many issues. So we turned to Volatility, a Kali Linux tool used for analyzing RAM. After countless failures, we managed to get it to read the current Windows 10 build, and we found the password hashes in the SAM hive, which could be cracked using other Kali Linux tools and unlock the workstation.

Click below to download our full project report

Download the report