Abstract
This work discusses shortcomings of current forensic acquisition tools aimed at securing volatile data. Recent developments in the area of anti-forensics have effectively disabled current forensic methods. The development of new methods towards sound forensic acquisition of volatile data is necessary as to keep up with the arms race. After an overview over current hardware-based and software-based acquisition methods, attacks and evasion techniques will be presented. Concluding, novel techniques are discussed to cope with anti-forensics.
Chapter PDF
References
Qihoo 360. Description of the Mebromi Rootkit, http://bbs.360.cn/4005462/251096134.html (last access September 2011)
Carrier, B.D., Grand, J.: A hardware-based memory acquisition procedure for digital investigations. Digital Investigation 1(1), 50–60 (2004)
U.S. Federal Court. Forcing Defendant to decrypt Hard Drive is unconstitutional, appeals Court Rules, http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf (last access March 2012)
Cybermarshal. Mac Memory Reader, http://www.cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader (last access March 2012)
Guillaume Delugrïœ Closer to metal: Reverse engineering the Broadcom NetExtreme’s Firmware. In: Hack.lu (2010)
Maximilan Dornseif. Owned by an iPod. In: PacSec (2004)
GNU. dd, http://www.gnu.org/software/coreutils/manual/html_node/dd-invocation.html (last access March 2012)
Golovanov, S.: A unique ’fileless’ bot attacks news site visitors, http://www.securelist.com/en/blog/687/A_unique_fileless_bot_attacks_news_site_visitors (last access March 2012)
Alex Halderman, J., Schoen, S.D., Heninger, N., William, et al.: Lest We Remember: Cold-boot Attacks on Encryption Keys. Commun. ACM 52, 91–98 (2009)
HBGary. FastDump PRO, http://www.hbgary.com/fastdump-pro (last access March 2012)
Passware Inc. Passware Kit Forensic, http://www.lostpassword.com/kit-forensic.htm (last access March 2012)
Moonsols. Windows Memory Toolkit, http://www.moonsols.com/windows-memory-toolkit (last access March 2012)
Müller, T., Freiling, F.C., Dewald, A.: TRESOR runs encryption securely outside RAM. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 17. USENIX Association, Berkeley (2011)
Pabel, J.: FrozenCache – Mitigating cold-boot Attacks for Full-Disk-Encryption Software. In: 27C3 (2010)
Pikewerks. Second Look, http://pikewerks.com/sl/ (last access March 2012)
Plohmann, D., Gerhards-Padilla, E.: Case Study of the Miner Botnet. In: Proceedings of the 4th International Conference on Cyber Conflict (to appear, 2012)
Rutkowska, J.: Beyond The CPU: Defeating Hardware Based RAM Acquisition. In: Black Hat DC 2007 (2007)
Butler, J., Sparks, S.: Shadow Walker – Raising The Bar For Windows Rootkit Detection. Phrack 11(59) (2005)
Guidance Software. Encase Forensic, http://www.guidancesoftware.com/forensic.htm (last access March 2012)
Symantec. Description of Trojan.Badminer (2011), http://www.symantec.com/business/security_response/writeup.jsp?docid=2011-081115-5847-99&tabid=2 (last access September 2011)
Volatile Systems. Volatility, https://www.volatilesystems.com (last access September 2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Eschweiler, S., Gerhards-Padilla, E. (2012). Towards Sound Forensic Acquisition of Volatile Data. In: Aschenbruck, N., Martini, P., Meier, M., Tölle, J. (eds) Future Security. Future Security 2012. Communications in Computer and Information Science, vol 318. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33161-9_43
Download citation
DOI: https://doi.org/10.1007/978-3-642-33161-9_43
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33160-2
Online ISBN: 978-3-642-33161-9
eBook Packages: Computer ScienceComputer Science (R0)