research-article

Introducing the Temporal Dimension to Memory Forensics

Authors:
Fabio Pagani

Eurecom, France

Eurecom, France

0000-0002-4357-9804
View Profile

,
Oleksii Fedorov

Igor Sikorsky Kyiv Polytechnic Institute, Ukraine

Igor Sikorsky Kyiv Polytechnic Institute, Ukraine
View Profile

,
Davide Balzarotti

Eurecom, France

Eurecom, France
View Profile

Authors Info & Claims

ACM Transactions on Privacy and Security Volume 22 Issue 2Article No.: 9pp 1–21https://doi.org/10.1145/3310355

Published:18 March 2019Publication History

ACM Transactions on Privacy and Security

Abstract

Kickstarted by the Digital Forensic Research Workshop (DFRWS) conference in 2005, modern memory analysis is now one of most active areas of computer forensics and it mostly focuses on techniques to locate key operating system data structures and extract high-level information. These techniques work on the assumption that the information inside a memory dump is consistent and the copy of the physical memory was obtained in an atomic operation.

Unfortunately, this is seldom the case in real investigations, where software acquisition tools record information while the rest of the system is running. Thus, since the content of the memory is changing very rapidly, the resulting memory dump may contain inconsistent data. While this problem is known, its consequences are unclear and often overlooked. Unfortunately, errors can be very subtle and can affect the results of an analysis in ways that are difficult to detect.

In this article, we argue that memory forensics should also consider the time in which each piece of data was acquired. This new temporal dimension provides a preliminary way to assess the reliability of a given result and opens the door to new research directions that can minimize the effect of the acquisition time or detect inconsistencies. To support our hypothesis, we conducted several experiments to show that inconsistencies are very frequent and can negatively impact an analysis. We then discuss modifications we made to popular memory forensic tools to make the temporal dimension explicit during the analysis and to minimize its effect by resorting to a locality-based acquisition.

References

Frank Adelstein. 2006. Live forensics: Diagnosing your system without killing it first. Commun. ACM 49, 2 (2006), 63--66. Google ScholarDigital Library
Noora Al Mutawa, Ibtesam Al Awadhi, Ibrahim Baggili, and Andrew Marrington. 2011. Forensic artifacts of Facebook’s instant messaging service. In 2011 International Conference for Internet Technology and Secured Transactions (ICITST). IEEE, 771--776.Google Scholar
Ali Reza Arasteh and Mourad Debbabi. 2007. Forensic memory analysis: From stack and code to execution history. Digital Invest. 4 (2007), 114--125. Google ScholarDigital Library
Michael Becher and Maximillian Dornseif. 2004. Feuriges hacken-spaß mit firewire. In 21C3: Proceedings of the 21st Chaos Communication Congress, Vol. 10.Google Scholar
Michael Becher, Maximillian Dornseif, and Christian N. Klein. 2005. FireWire: All your memory are belong to us. Proceedings of CanSecWest .Google Scholar
Rohit Bhatia, Brendan Saltaformaggio, Seung Jei Yang, Aisha Ali-Gombe, Xiangyu Zhang, Dongyan Xu, and Golden G. Richard III. 2018. “Tipped off by your memory allocator”: Device-wide user activity sequencing from android memory images. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS’18), San Diego.Google Scholar
Frank Block and Andreas Dewald. 2017. Linux memory forensics: Dissecting the user space process heap. Digital Invest. 22 (2017), S66--S75. Google ScholarDigital Library
Richard Carbone, C. Bean, and M. Salois. 2011. An In-depth Analysis of the Cold Boot Attack: Can it be Used for Sound Forensic Memory Acquisition? Technical Report. Defence Research and Development Canada Valcartier, Quebec.Google Scholar
Brian D. Carrier and Joe Grand. 2004. A hardware-based memory acquisition procedure for digital investigations. Digital Invest. 1, 1 (2004), 50--60. Google ScholarDigital Library
Harlan Carvey. 2005. Digital forensics of the physical memory. Retrieved from http://seclists.org/incidents/2005/Jun/22.Google Scholar
Andrew Case, Lodovico Marziale, Cris Neckar, and Golden G. Richard III. 2010. Treasure and tragedy in kmem_cache mining for live forensics investigation. Digital Invest. 7 (2010), S41--S47. Google ScholarDigital Library
Andrew Case and Golden G. Richard. 2017. Memory forensics: The path forward. Digital Invest. 20 (2017), 23--33. Google ScholarDigital Library
Andrew Case and Golden G. Richard III. 2016. Detecting objective-C malware through memory forensics. Digital Invest. 18 (2016), S3--S10. Google ScholarDigital Library
Ellick Chan, Shivaram Venkataraman, Francis David, Amey Chaugule, and Roy Campbell. 2010. Forenscope: A framework for live forensics. In Proceedings of the 26th Annual Computer Security Applications Conference. ACM, 307--316. Google ScholarDigital Library
M. Cohen. 2012. WinPMEM.Google Scholar
Michael Cohen. 2014. Rekall memory forensics framework. DFIR Prague.Google Scholar
Guilherme Cox, Zi Yan, Abhishek Bhattacharjee, and Vinod Ganapathy. 2018. Secure, consistent, and high-performance memory snapshotting. In Proceedings of the 8th ACM Conference on Data and Application Security and Privacy Conference. ACM, 236--247. Google ScholarDigital Library
Brendan Dolan-Gavitt. 2007. The VAD tree: A process-eye view of physical memory. Digital Invest. 4 (2007), 62--64. Google ScholarDigital Library
Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. 2011. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In 2011 IEEE Symposium on Security and Privacy (SP). IEEE, 297--312. Google ScholarDigital Library
Brendan Dolan-Gavitt, Abhinav Srivastava, Patrick Traynor, and Jonathon Giffin. 2009. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security. ACM, 566--577. Google ScholarDigital Library
Qian Feng, Aravind Prakash, Heng Yin, and Zhiqiang Lin. 2014. Mace: High-coverage and robust memory analysis for commodity operating systems. In Proceedings of the 30th Annual Computer Security Applications Conference. ACM, 196--205. Google ScholarDigital Library
Mel Gorman. {n. d.}. Understanding the Linux Virtual Memory Manager. Retrieved from http://www.makelinux.net/books/lvmm/understand007#toc31. Google ScholarDigital Library
Mariano Graziano, Andrea Lanzi, and Davide Balzarotti. 2013. Hypervisor memory forensics. In International Workshop on Recent Advances in Intrusion Detection. Springer, 21--40. Google ScholarDigital Library
Michael Gruhn and Felix C. Freiling. 2016. Evaluating atomicity, and integrity of correct memory acquisition methods. Digital Invest. 16 (2016), S1--S10. Google ScholarDigital Library
Yufei Gu and Zhiqiang Lin. 2016. Derandomizing kernel address space layout for memory introspection and forensics. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy. ACM, 62--72. Google ScholarDigital Library
Adrien Guinet. 2017. wannakey. Retrieved from https://github.com/aguinet/wannakey.Google Scholar
J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. 2009. Lest we remember: Cold-boot attacks on encryption keys. Commun. ACM 52, 5 (2009), 91--98. Google ScholarDigital Library
Brian Hay, Matt Bishop, and Kara Nance. 2009. Live analysis: Progress and challenges. IEEE Secur. Privacy 2 (2009), 30--37. Google ScholarDigital Library
Owen S. Hofmann, Alan M. Dunn, Sangman Kim, Indrajit Roy, and Emmett Witchel. 2011. Ensuring operating system kernel integrity with OSck. In ACM SIGARCH Computer Architecture News, Vol. 39. ACM, 279--290. Google ScholarDigital Library
Ewa Huebner, Derek Bem, Frans Henskens, and Mark Wallis. 2007. Persistent systems techniques in forensic acquisition of memory. Digital Invest. 4, 3--4 (2007), 129--137. Google ScholarDigital Library
Ryan Jones. 2007. Safer live forensic acquisition. Computer Science Laboratory, University of Kent.Google Scholar
Jesse D. Kornblum. 2007. Using every part of the buffalo in Windows memory analysis. Digital Invest. 4, 1 (2007), 24--29. Google ScholarDigital Library
Stefan Le Berre. 2018. From corrupted memory dump to rootkit detection. Retrieved from https://exatrack.com/public/Memdump_NDH_2018.pdf.Google Scholar
Marthie Lessing and Basie Von Solms. 2008. Live forensic acquisition as alternative to traditional forensic processes. In International Conference on IT Incident Management 8 IT Forensic.Google Scholar
Eugene Libster and Jesse D. Kornblum. 2008. A proposal for an integrated memory acquisition mechanism. ACM SIGOPS Operating Systems Review 42, 3 (2008), 14--20. Google ScholarDigital Library
Michael Hale Ligh, Andrew Case, Jamie Levy, and Aaron Walters. 2014. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. John Wiley 8 Sons. Google ScholarDigital Library
Zhiqiang Lin, Junghwan Rhee, Xiangyu Zhang, Dongyan Xu, and Xuxian Jiang. 2011. SigGraph: Brute force scanning of kernel data structure instances using graph-based signatures. In NDSS.Google Scholar
Holger Macht. 2013. Live memory forensics on android with volatility. Friedrich-Alexander University Erlangen-Nuremberg.Google Scholar
Mandiant. {n. d.}. Memoryze.Google Scholar
Jean Marsault. 2017. Volatility-notpetyakeys. Retrieved from https://github.com/Iansus/Volatility-notpetyakeys.Google Scholar
Lorenzo Martignoni, Aristide Fattori, Roberto Paleari, and Lorenzo Cavallaro. 2010. Live and trustworthy forensic analysis of commodity production systems. In RAID. Springer, 297--316. Google ScholarDigital Library
Robert J. McDown, Cihan Varol, Leonardo Carvajal, and Lei Chen. 2016. In-depth analysis of computer memory acquisition software for forensic purposes. J. Forensic Sci. 61 (2016), S110--S116.Google ScholarCross Ref
Andreas Moser and Michael I. Cohen. 2013. Hunting in the enterprise: Forensic triage and incident response. Digital Invest. 10, 2 (2013), 89--98. Google ScholarDigital Library
Yuto Otsuki, Yuhei Kawakoya, Makoto Iwamura, Jun Miyoshi, and Kazuhiko Ohkubo. 2018. Building stack traces from memory dump of Windows x64. Digital Invest. 24 (2018), S101--S110.Google ScholarCross Ref
Alessandro Reina, Aristide Fattori, Fabio Pagani, Lorenzo Cavallaro, and Danilo Bruschi. 2012. When hardware meets software: A bulletproof solution to forensic memory acquisition. In Proceedings of the 28th Annual Computer Security Applications Conference. ACM, 79--88. Google ScholarDigital Library
Nicolas Ruff. 2008. Windows memory forensics. J. Comput. Virol. 4, 2 (2008), 83--100.Google ScholarCross Ref
Brendan Saltaformaggio. 2018. Convicted by Memory: Recovering spatial-temporal digital evidence from memory images. USENIX Association, Atlanta, GA.Google Scholar
Brendan Saltaformaggio, Rohit Bhatia, Zhongshu Gu, Xiangyu Zhang, and Dongyan Xu. 2015. GUITAR: Piecing together android app GUIs from memory images. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 120--132. Google ScholarDigital Library
Brendan Saltaformaggio, Rohit Bhatia, Zhongshu Gu, Xiangyu Zhang, and Dongyan Xu. 2015. Vcr: App-agnostic recovery of photographic evidence from android device memory images. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 146--157. Google ScholarDigital Library
Brendan Saltaformaggio, Rohit Bhatia, Xiangyu Zhang, Dongyan Xu, and Golden G. Richard III. 2016. Screen after previous screens: Spatial-temporal recreation of android app displays from memory images. In USENIX Security Symposium. 1137--1151. Google ScholarDigital Library
Bradley Schatz. 2007. BodySnatcher: Towards reliable volatile memory acquisition by software. Digital Invest. 4 (2007), 126--134. Google ScholarDigital Library
Andreas Schuster. 2006. Searching for processes and threads in Microsoft Windows memory dumps. Digital Invest. 3 (2006), 10--16. Google ScholarDigital Library
Matthew Simon and Jill Slay. 2010. Recovery of skype application activity data from physical memory. In 2010 5th International Conference on Availability, Reliability, and Security. IEEE, 283--288.Google ScholarCross Ref
Matthew Phillip Simon and Jill Slay. 2011. Recovery of pidgin chat communication artefacts from physical memory: A pilot test to determine feasibility. In 2011 6th International Conference on Availability, Reliability and Security. IEEE, 183--188. Google ScholarDigital Library
Arkadiusz Socała and Michael Cohen. 2016. Automatic profile generation for live Linux Memory analysis. Digital Invest. 16 (2016), S11--S24. Google ScholarDigital Library
Johannes Stüttgen and Michael Cohen. 2013. Anti-forensic resilient memory acquisition. Digital Invest. 10 (2013), S105--S115. Google ScholarDigital Library
He Sun, Kun Sun, Yuewu Wang, and Jiwu Jing. 2015. Reliable and trustworthy memory acquisition on smartphones. IEEE Trans. Inf. Forensics Secur. 10, 12 (2015), 2547--2561.Google ScholarDigital Library
Joe Sylve. 2012. Lime-linux memory extractor. In Proceedings of the 7th ShmooCon Conference.Google Scholar
Stefan Vömel and Felix C. Freiling. 2011. A survey of main memory acquisition and analysis techniques for the windows operating system. Digital Invest. 8, 1 (2011), 3--22. Google ScholarDigital Library
Stefan Vömel and Felix C. Freiling. 2012. Correctness, atomicity, and integrity: Defining criteria for forensically-sound memory acquisition. Digital Invest. 9, 2 (2012), 125--137.Google ScholarCross Ref
Stefan Vömel and Johannes Stüttgen. 2013. An evaluation platform for forensic memory acquisition software. Digital Invest. 10 (2013), S30--S40.Google ScholarDigital Library
Aaron Walters. 2007. The volatility framework: Volatile memory artifact extraction utility framework.Google Scholar

Index Terms

Introducing the Temporal Dimension to Memory Forensics
1. Applied computing
  1. Computer forensics
    1. System forensics

Recommendations

Volatile Memory Forensics Acquisition Efficacy: A Comparative Study Towards Analysing Firmware-Based Rootkits
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

Firmware-based malware is an emerging threat with few obvious mechanisms for detection. There have been multiple cases where the presence of firmware-based malware has been confirmed or strongly suspected, and current mitigations strategies have little ...
Read More
An Experimental Assessment of Inconsistencies in Memory Forensics
Memory forensics is concerned with the acquisition and analysis of copies of volatile memory (memory dumps). Based on an empirical assessment of observable inconsistencies in 360 memory dumps of a running Linux system, we confirm a state of overwhelming ...
Read More
Enhancing Reliability During Physical Memory Forensics: Strategies and Practices
Abstract
Over the past decade, forensic investigators have incorporated memory forensics as a critical part of their investigation. Memory forensics yield substantial results that otherwise would be lost if the traditional “pull the plug” procedure is ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Privacy and Security Volume 22, Issue 2
May 2019
214 pages
ISSN:2471-2566
EISSN:2471-2574
DOI:10.1145/3316298
Editor:
David Basin
ETH Zurich, Switzerland
Issue’s Table of Contents
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 18 March 2019
- Accepted: 1 December 2018
- Received: 1 August 2018
Published in tops Volume 22, Issue 2

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Memory forensics
atomicity
memory acquisition
temporal dimension
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 17
  Total Citations
  View Citations
- 878
  Total Downloads
- Downloads (Last 12 months)86
- Downloads (Last 6 weeks)9
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Introducing the Temporal Dimension to Memory Forensics

ACM Transactions on Privacy and Security

Abstract

References

Cited By

Index Terms

Recommendations

Volatile Memory Forensics Acquisition Efficacy: A Comparative Study Towards Analysing Firmware-Based Rootkits

An Experimental Assessment of Inconsistencies in Memory Forensics

Enhancing Reliability During Physical Memory Forensics: Strategies and Practices