Abstract
Over the past decade, forensic investigators have incorporated memory forensics as a critical part of their investigation. Memory forensics yield substantial results that otherwise would be lost if the traditional “pull the plug” procedure is followed. However, physical memory is characterized by its dynamic and volatile nature that constantly changes the state of memory. This gives rise to challenges that reduce the reliability of physical memory forensics due to a lack of correctness, completeness, accuracy, or consistency of results. While contemporary work is focused on the acquisition or analysis of memory artifacts, little work has been done to ensure the reliability during memory forensics process. This paper presents the critical analysis of reliability in current date memory forensics and is an attempt to provide a thorough and systematic approach to ensure reliability during physical memory forensics. In the scope of this motive, the paper surveys the various memory management aspects that are crucial for reconstructing reliable memory artifacts. This includes identifying and exploring physical memory address layout, memory address space, memory address translation, memory access methods, or the low-level internal memory data structures, upon which memory forensics is reliant. The paper then identifies the prominent challenges faced during the memory forensics process and proposes a set of practices and possible suggestions to be followed or considered at different stages of physical memory forensics. These practices, if implemented, help to achieve maximum evidence reliability. Finally, a series of experiments are performed using three infamous memory acquisition tools: FTK Imager, Magnet RAM Capture, and Belkasoft RAM Capturer, on 32 GB and 16 GB Windows 10 machines to support the proposed claims. The paper also sketches the important future directions in memory forensics reliability.
Similar content being viewed by others
Data availability
The authors confirm that the data supporting the findings of this study is available within the article. Due to the nature of this research, no supplementary or supporting data is available for this paper. No data sets were used in this research. The experiments were performed on live machines.
References
Nyholm H, et al. The evolution of volatile memory forensics. J Cybersecur Privacy. 2022;2(3):556–72. https://doi.org/10.3390/jcp2030028.
Mulani A, Kothari S. The physical memory acquisition and its applications. J Web Dev Web Desig. 2022;7(3):11–21.
Kara I. Fileless malware threats: recent advances, analysis approach through memory forensics and research challenges. Expert Syst Appl. https://doi.org/10.1016/j.eswa.2022.119133.
Case A, Richard GG. Memory forensics: the path forward. Digit Investig. 2017;20:23–33. https://doi.org/10.1016/j.diin.2016.12.004.
Hamid I, Alabdulhay A, Hafizur Rahman MM. A systematic literature review on volatility memory forensics. In: Smys S, João Manuel R, Tavares S, Fuqian S, editors. Computational vision and bio-inspired computing. advances in intelligent systems and computing. Singapore: Springer; 2023, pp. 589–600. https://doi.org/10.1007/978-981-19-9819-5_42.
Betz C, Garner Jr GM, Mora RJ. https://dfrws.org/conferences/dfrws-usa-2005/. Accessed 3 Jan 2024.
Stoykova R, Andersen S, Franke K, Axelsson S. Reliability assessment of digital forensic investigations in the Norwegian police. Forensic Sci Int Dig Investig. 2022. https://doi.org/10.1016/j.fsidi.2022.301351.
Conlan K, Baggili I, Breitinger F. Anti-forensics: furthering digital forensic science through a new extended, granular taxonomy. In: DFRWS 2016 USA—proceedings of the 16th Annual USA Digital Forensics Research Conference, Digital Forensic Research Workshop; 2016, pp. S66–S75. https://doi.org/10.1016/j.diin.2016.04.006.
Parida T, Nath K, Das S. SAM: a mechanism to facilitate smear-aware forensic analysis of volatile system memory. J Appl Secur Res. 2022. https://doi.org/10.1080/19361610.2022.2161972.
Shree R, Kant Shukla A, Prakash Pandey R, Shukla V, Bajpai D. Memory forensic: acquisition and analysis mechanism for operating systems. Mater Today Proc. 2021. https://doi.org/10.1016/j.matpr.2021.05.270.
Wilson EX. Finding forensic evidence in the operating system’s graphical finding forensic evidence in the operating system’s graphical user interface user interface. 2022. https://digitalcommons.lsu.edu/gradschool_theses
Bowling H, Seigfried-Spellar K, Karabiyik U, Rogers M. We are meeting on microsoft teams: forensic analysis in windows, android, and iOS operating systems. J Forensic Sci. 2023;68(2):434–60. https://doi.org/10.1111/1556-4029.15208.
Ligh MH, Case A, Levy J, Walters AA. The art of memory forensics: detecting Malware and Threats in Windows, Linux, and Mac Memory. New York: Wiley; 2014.
Dolan-Gavitt B. The VAD tree: a process-eye view of physical memory. Digit Investig. 2007;4:62–4. https://doi.org/10.1016/j.diin.2007.06.008.
Dolan-Gavitt B. Forensic analysis of the Windows registry in memory. Digit Investig. 2008. https://doi.org/10.1016/j.diin.2008.05.003.
Okolica J, Peterson GL. Extracting the windows clipboard from physical memory. Digit Investig. 2011. https://doi.org/10.1016/j.diin.2011.05.014.
Vömel S, Lenz H. Visualizing indicators of rootkit infections in memory forensics. In: Proceedings—7th International Conference on IT Security Incident Management and IT Forensics, IMF 2013; 2013, pp. 122–139. https://doi.org/10.1109/IMF.2013.12.
Vömel S, Freiling FC. A survey of main memory acquisition and analysis techniques for the windows operating system. Digit Investig. 2011;8(1):3–22. https://doi.org/10.1016/j.diin.2011.06.002.
Latzo T, Palutke R, Freiling F. A universal taxonomy and survey of forensic memory acquisition techniques. Digit Investig. 2019;28:56–69. https://doi.org/10.1016/j.diin.2019.01.001.
Stüttgen J, Cohen M. Robust linux memory acquisition with minimal target impact. In: Proceedings of the Digital Forensic Research Conference, DFRWS 2014 EU, Digital Forensic Research Workshop; 2014, pp. S112–S119. https://doi.org/10.1016/j.diin.2014.03.014.
Socała A, Cohen M. Automatic profile generation for live linux memory analysis. In: DFRWS 2016 EU—Proceedings of the 3rd Annual DFRWS Europe, Digital Forensic Research Workshop; 2016, pp. S11–S24. https://doi.org/10.1016/j.diin.2016.01.004.
Gruhn M, Müller T. On the practicability of cold boot attacks. In: Proceedings—2013 International Conference on availability, reliability and security, ARES 2013; 2013, pp. 390–397. https://doi.org/10.1109/ARES.2013.52.
Block F, Dewald A. Linux memory forensics: dissecting the user space process heap. In: DFRWS 2017 USA—Proceedings of the 17th Annual DFRWS USA, Digital Forensic Research Workshop; 2017, pp. S66–S75. https://doi.org/10.1016/j.diin.2017.06.002.
Otsuki Y, Kawakoya Y, Iwamura M, Miyoshi J, Ohkubo K. Building stack traces from memory dump of Windows x64. In: DFRWS 2018 EU—Proceedings of the 5th Annual DFRWS Europe, Digital Forensic Research Workshop; 2018, pp. S101–S110. https://doi.org/10.1016/j.diin.2018.01.013.
Stüttgen J, Vömel S, Denzel M. Acquisition and analysis of compromised firmware using memory forensics. In: Proceedings of the digital forensic research conference, DFRWS 2015 EU, Digital Forensic Research Workshop; 2015, pp. S50–S60. https://doi.org/10.1016/j.diin.2015.01.010.
Oliveri A, Balzarotti D. In the land of MMUs: multiarchitecture OS-agnostic virtual memory forensics. ACM Trans Priv Secur. 2022. https://doi.org/10.1145/3528102.
Richard GG, Case A. In lieu of swap: analyzing compressed RAM in Mac OS X and Linux. In: Proceedings of the Digital Forensic Research Conference, DFRWS 2014 USA, Digital Forensic Research Workshop; 2014, pp. S3–S12. https://doi.org/10.1016/j.diin.2014.05.011.
Palutke R, Freiling F. Styx: countering robust memory acquisition. In: DFRWS 2018 EU—Proceedings of the 5th Annual DFRWS Europe, Digital Forensic Research Workshop; 2018, pp. S18–S28. https://doi.org/10.1016/j.diin.2018.01.004.
Zhang N, Zhang R, Sun K, Lou W, Hou YT, Jajodia S. Memory forensic challenges under misused architectural features. IEEE Trans Inf Forensics Secur. 2018;13(9):2345–58. https://doi.org/10.1109/TIFS.2018.2819119.
Palutke R, Block F, Reichenberger P, Stripeika D. Hiding process memory via anti-forensic techniques. Forensic Sci Int Digit Investig. 2020. https://doi.org/10.1016/j.fsidi.2020.301012.
Uroz D, Rodríguez RJ. Characteristics and detectability of Windows auto-start extensibility points in memory forensics. Digit Investig. 2019;28:S95–104. https://doi.org/10.1016/j.diin.2019.01.026.
Sunde N, Dror IE. A hierarchy of expert performance (HEP) applied to digital forensics: reliability and biasability in digital forensics decision making. Forensic Sci Int Digit Investig. 2021. https://doi.org/10.1016/j.fsidi.2021.301175.
Hughes N, Karabiyik U. Towards reliable digital forensics investigations through measurement science. WIREs Forensic Sci. 2020. https://doi.org/10.1002/wfs2.1367.
Stoykova R, Franke K. Reliability validation enabling framework (RVEF) for digital forensics in criminal investigations. Forensic Sci Int Digit Investig. 2023. https://doi.org/10.1016/j.fsidi.2023.301554.
Horsman G, David Goldman T. Framework for reliable experimental design (FRED): A research framework to ensure the dependable interpretation of digital data for digital forensics. http://www.ref.ac.uk/
Vömel S, Freiling FC. Correctness, atomicity, and integrity: defining criteria for forensically-sound memory acquisition. Digit Investig. 2012;9(2):125–37. https://doi.org/10.1016/j.diin.2012.04.005.
Reina A, Fattori A, Pagani F, Cavallaro L, Bruschi D. When hardware meets software. In: Proceedings of the 28th Annual Computer Security Applications Conference, New York, NY, USA: ACM; 2012, pp. 79–88. https://doi.org/10.1145/2420950.2420962.
Vömel S, Stüttgen J. An evaluation platform for forensic memory acquisition software. In: Proceedings of the Digital Forensic Research Conference, DFRWS 2013 USA, Digital Forensic Research Workshop; 2013, pp. S30–S40. https://doi.org/10.1016/j.diin.2013.06.004.
Gruhn M. Windows NT pagefile.sys virtual memory analysis. In: Proceedings—9th International Conference on IT Security Incident Management and IT Forensics, IMF 2015, Institute of Electrical and Electronics Engineers Inc.;2015, pp. 3–18. https://doi.org/10.1109/IMF.2015.10.
Gruhn M, Freiling FC. Evaluating atomicity, and integrity of correct memory acquisition methods. In: DFRWS 2016 EU—Proceedings of the 3rd Annual DFRWS Europe, Digital Forensic Research Workshop; 2016, pp. S1–S10. https://doi.org/10.1016/j.diin.2016.01.003.
Pagani F, Fedorov O, Balzarotti D. Introducing the temporal dimension to memory forensics. ACM Trans Priv Secur. 2019. https://doi.org/10.1145/3310355.
Latzo T, Erlangen-Nürnberg FAU, Schulze M, Freiling F. Digital forensic research conference leveraging intel DCI for memory forensics. https://dfrws.org
Solomon DA, Russinovich ME, Alex I. Microsoft windows internals. 5th ed. Microsoft Press; 2009. p. 763. ISBN: 9780735625303.
Sachowski J. Understanding forensic readiness. In: Ivtchenko D, editor, Implementing digital forensic readiness from reactive to proactive process. New York: Elsevier; 2016, pp. 45–52. https://doi.org/10.1016/C2015-0-00701-8.
Bankole F, Taiwo A, Claims I. An extended digital forensic readiness and maturity model. Forensic Sci Int Digit Investig. 2022. https://doi.org/10.1016/j.fsidi.2022.301348.
Brezinski D, Killalea T. Guidelines for evidence collection and archiving. 2002. https://doi.org/10.17487/rfc3227.
Moser A, Cohen MI. Hunting in the enterprise: forensic triage and incident response. Digit Investig. 2013;10(2):89–98. https://doi.org/10.1016/j.diin.2013.03.003.
Shiaeles S, Chryssanthou A, Katos V. On-scene triage open source forensic tool chests: are they effective? Digit Investig. 2013;10(2):99–115. https://doi.org/10.1016/j.diin.2013.04.002.
Shaw A, Browne A. A practical and robust approach to coping with large volumes of data submitted for digital forensic examination. Digit Investig. 2013;10(2):116–28. https://doi.org/10.1016/j.diin.2013.04.003.
Stüttgen J, Cohen M. Anti-forensic resilient memory acquisition. In: Proceedings of the Digital Forensic Research Conference, DFRWS 2013 USA, Digital Forensic Research Workshop; 2013, pp. S105–S115. https://doi.org/10.1016/j.diin.2013.06.012.
Haruyama T, Suzuki H. One-byte modification for breaking memory forensic analysis. In: Proceedings of the Black Hat Europe, Amsterdam, The Netherlands, 14–16 March.
Horsman G. Tool testing and reliability issues in the field of digital forensics. Digit Investig. 2019;28:163–75. https://doi.org/10.1016/j.diin.2019.01.009.
Marshall AM. Digital forensic tool verification: an evaluation of options for establishing trustworthiness. Forensic Sci Int Digit Investig. 2021. https://doi.org/10.1016/j.fsidi.2021.301181.
Sunde N. Strategies for safeguarding examiner objectivity and evidence reliability during digital forensic investigations. Forensic Sci Int Digit Investig. 2022. https://doi.org/10.1016/j.fsidi.2021.301317.
Acknowledgements
This work has been supported by the Department of Science and Technology (DST), Ministry of Science and Technology, Government of India, under its project grant no. DST/INSPIRE Fellowship/2017/IF170301.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interests
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Kirmani, M.S., Banday, M.T. Enhancing Reliability During Physical Memory Forensics: Strategies and Practices. SN COMPUT. SCI. 5, 201 (2024). https://doi.org/10.1007/s42979-023-02553-y
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s42979-023-02553-y