Forensic Investigators Rethinking How they Analyze Memory

Cybercrime is constantly evolving and at the recent Shmoocon 2014, presenters described a concept tool that cyber criminals use to manipulate physical memory of computing equipment, which more than disrupts investigations. Learn more from key highlights in an interview with the presenters and where digital recording technology is going to combat this new wave of crime.


The Tech Republic explains that at the end of January, when Shmoocon 2014 took place, Jacob Williams and Alissa Torres described a concept tool that would allow cybercriminals to cover their tracks by altering the contents of a computer’s memory.

So how is it possible to manipulate information stored in a computer’s memory and why is that of interest to law enforcement and other upholders of the law?

  • For one, manipulating information in a computer’s memory allows cybercriminals to cover their tracks and mislead investigators.
  • Secondly, outcomes in court are significantly impacted, leading sometimes to cases that can’t be closed or cases in which justice isn’t adequately served.
  • And thirdly, as investigative equipment becomes more sophisticated, software writers are learning more and more about mitigating these threats through implementing code that combats these designs.

Alissa Torres started off showing the group a concept which demonstrated the easy with which cybercriminals could fake information trails and information itself.

In their interview, Williams and Torres take turn explaining the far-reaching implications of this threat to investigator work.

Williams: “ADD (Torres proof-of-concept tool) allows an attacker to preposition fake files, network connections, and processes in memory. If the computer is confiscated, and a memory dump obtained by a forensic analyst: the fake artifacts could send the analyst on a wild goose chase searching for files that do not exist. A much scarier proposition is that an attacker might insert fake artifacts that attribute the attack to another cybercrime group or nation state.

The mere existence of anti-forensics tools like ADD is an alert that analysts need to validate their findings.

As far as whether this tool or something like it is already out there, Williams had this to say:

Williams: It’s hard to say whether the bad guys are currently using tools like ADD. But if I had to guess, I’d say advanced adversaries (cybercrime groups and nation-states, for example) are already using similar techniques. As for knowing, we won’t see the fake artifacts, unless we specifically look for them. That’s the real contribution of ADD—to expose the possibility of forging artifacts in a demonstrable way.”

In the field of justice and in the courtroom, it is paramount to ensure that information and evidence brought to court is accurate and has not been tampered with.

Investigators have to be up to speed when it comes to new threats, potential and real, and cybercrime, as it’s on the rise, is one that presents a whole new world of challenges.

iRecord, in its commitment to remove the barriers of complexity when it comes to investigative digital audio and recording equipment, implements the most recent in tamper-proof programs. In the courtroom, iRecord’s track record is absolutely perfect.

Experts, prosecutors, judges and other essential officials don’t have to spend extensive time validating whether evidence submitted has been falsified or tampered. From start to go, iRecord’s product is reliable, secure and one that investigators can fall back on repeatedly.

Which in the end, may give those forensic investigators more time to spend on validating potential threats to cybersecurity in other computing scandals.

To learn more about iRecord’s solution, request more information today or contact us.

Contact Us