Memory analysis is an essential method of electronic evidence discovery. It allows computer forensics to decrypt hard disks and files and extract encryption keys and passwords.
Passware Bootable Memory Imager is a UEFI compatible tool that runs from a bootable USB drive and acquires memory images of Windows, Linux, and Mac computers.
The tool allows users to acquire a memory image after a warm boot or cold boot of the target machine. Warm boot memory acquisition may contain passwords and encryption keys for hard drives protected with Bitlocker or other full disk encryption. For example, the tool can be used against hard drives encrypted with Bitlocker TPM protector or APFS/FileVault without T2 chip inside (does not support Macs with T2 or M1).
The overall steps are as follows:
- Create a bootable USB with Passware Bootable Memory Imager
- Perform warm-boot and acquire a memory image
- Analyze the acquired memory image for encryption keys and other artifacts
Passware memory imager leaves a small memory footprint so it can be run while minimizing the volatile data that is overwritten in memory. The memory is acquired before the boot of the operating system, allowing it to be used on 64-bit Windows, Linux, and Mac computers.
Create a bootable USB
Launch Passware Kit Forensic as Administrator. On the Start Page, click Memory Analysis and follow the on-screen instructions to create a Memory Imager USB.
NOTE: USB should be formatted with MBR partition table.
Perform warm-boot and acquire a memory image
Now a warm-boot of the target machine is required for Passware Memory Imager to start from the USB drive. Warm-boot procedure differs from system to system:
- Personal Computer (PC)
- Macintosh (MAC)
1. Connect the Passware Memory Imager USB to the target machine.
2. Perform warm-boot using the hardware Reboot/Reset button.
NOTE: Soft boot like Ctrl+Alt+Del or Shutdown might erase all encryption keys from the memory. Moreover, BIOS passwords and other built-in security pre-boot options might be insoluble obstacles for acquiring live memory images.
3. Set BIOS to boot from a bootable USB drive.
NOTE: Google the target system for exact instructions on setting it up to boot from the USB drive.
3.1. If Secure Boot is enabled, check out the following instructions. Alternatively, disable the Secure Boot option in BIOS before booting from the created bootable USB drive.
PCs with Secure Boot enabled
If Secure Boot is enabled, the warm-boot steps should be as follows:
- After the boot from a bootable USB a blue screen with the message ERROR – Verification failed: (15) Access Denied appears.
- Press Enter to continue.
- In the Shim UEFI key management screen, press any key to perform MOK management.
- On the Perform MOK management screen, choose Enroll hash from disk and press Enter to continue.
- The next Select Binary screen lists the partitions. Select the Passware MI partition of the AIO Boot, which contains the file /EFI/BOOT/grubx64.efi.
- Press Enter and browse for the file grubx64.efi. Select grubx64.efi from the list and press Enter to continue.
- On the next screen [Enroll MOK] choose Continue.
- On the screen [Enroll the key(s)] choose Yes.
- Perform MOK management screen from step #3 appears.
- Perform the warm-boot using the hardware Reboot/Reset button.
- Connect the Passware Memory Imager USB to the target machine
- Press Command + Control + Power
- Hold the Option key during startup. It allows booting from a USB drive.
If all steps are performed correctly, the memory image and log file of the acquisition process will be saved on the Passware Memory Image USB. Use the “Reboot” or “Shut down” action as needed.
IMPORTANT NOTE: In most cases, there is only one attempt to try warm-boot memory acquisition while the keys reside in memory.
To extract passwords from the acquired memory image, click Memory Analysis on the Start Page. Browse for any of the 2GB memory image parts from the Passware Memory Imager USB and select the options to try. Click Next to start the analysis.
To analyze the acquired image for the FDE encryption keys, click Full Disk Encryption on the Start Page. Choose the encryption type and click the "I have a memory image" tab. In the Physical memory image file field, click Browse... and locate any one of the 2GB memory image parts from the Passware Memory Imager USB (other parts will be parsed automatically). Browse for the encrypted volume image and specify the destination file. Click Decrypt.
If you need to use it with other memory analyzing software, you will have to cut the first 64 bytes from each of the memory 2GB segments and then merge them into one file in the order they are numbered.
For more information on FDE decryption, refer to the following articles: