Abstract
Kickstarted by the Digital Forensic Research Workshop (DFRWS) conference in 2005, modern memory analysis is now one of most active areas of computer forensics and it mostly focuses on techniques to locate key operating system data structures and extract high-level information. These techniques work on the assumption that the information inside a memory dump is consistent and the copy of the physical memory was obtained in an atomic operation.
Unfortunately, this is seldom the case in real investigations, where software acquisition tools record information while the rest of the system is running. Thus, since the content of the memory is changing very rapidly, the resulting memory dump may contain inconsistent data. While this problem is known, its consequences are unclear and often overlooked. Unfortunately, errors can be very subtle and can affect the results of an analysis in ways that are difficult to detect.
In this article, we argue that memory forensics should also consider the time in which each piece of data was acquired. This new temporal dimension provides a preliminary way to assess the reliability of a given result and opens the door to new research directions that can minimize the effect of the acquisition time or detect inconsistencies. To support our hypothesis, we conducted several experiments to show that inconsistencies are very frequent and can negatively impact an analysis. We then discuss modifications we made to popular memory forensic tools to make the temporal dimension explicit during the analysis and to minimize its effect by resorting to a locality-based acquisition.
- Frank Adelstein. 2006. Live forensics: Diagnosing your system without killing it first. Commun. ACM 49, 2 (2006), 63--66. Google ScholarDigital Library
- Noora Al Mutawa, Ibtesam Al Awadhi, Ibrahim Baggili, and Andrew Marrington. 2011. Forensic artifacts of Facebook’s instant messaging service. In 2011 International Conference for Internet Technology and Secured Transactions (ICITST). IEEE, 771--776.Google Scholar
- Ali Reza Arasteh and Mourad Debbabi. 2007. Forensic memory analysis: From stack and code to execution history. Digital Invest. 4 (2007), 114--125. Google ScholarDigital Library
- Michael Becher and Maximillian Dornseif. 2004. Feuriges hacken-spaß mit firewire. In 21C3: Proceedings of the 21st Chaos Communication Congress, Vol. 10.Google Scholar
- Michael Becher, Maximillian Dornseif, and Christian N. Klein. 2005. FireWire: All your memory are belong to us. Proceedings of CanSecWest .Google Scholar
- Rohit Bhatia, Brendan Saltaformaggio, Seung Jei Yang, Aisha Ali-Gombe, Xiangyu Zhang, Dongyan Xu, and Golden G. Richard III. 2018. “Tipped off by your memory allocator”: Device-wide user activity sequencing from android memory images. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS’18), San Diego.Google Scholar
- Frank Block and Andreas Dewald. 2017. Linux memory forensics: Dissecting the user space process heap. Digital Invest. 22 (2017), S66--S75. Google ScholarDigital Library
- Richard Carbone, C. Bean, and M. Salois. 2011. An In-depth Analysis of the Cold Boot Attack: Can it be Used for Sound Forensic Memory Acquisition? Technical Report. Defence Research and Development Canada Valcartier, Quebec.Google Scholar
- Brian D. Carrier and Joe Grand. 2004. A hardware-based memory acquisition procedure for digital investigations. Digital Invest. 1, 1 (2004), 50--60. Google ScholarDigital Library
- Harlan Carvey. 2005. Digital forensics of the physical memory. Retrieved from http://seclists.org/incidents/2005/Jun/22.Google Scholar
- Andrew Case, Lodovico Marziale, Cris Neckar, and Golden G. Richard III. 2010. Treasure and tragedy in kmem_cache mining for live forensics investigation. Digital Invest. 7 (2010), S41--S47. Google ScholarDigital Library
- Andrew Case and Golden G. Richard. 2017. Memory forensics: The path forward. Digital Invest. 20 (2017), 23--33. Google ScholarDigital Library
- Andrew Case and Golden G. Richard III. 2016. Detecting objective-C malware through memory forensics. Digital Invest. 18 (2016), S3--S10. Google ScholarDigital Library
- Ellick Chan, Shivaram Venkataraman, Francis David, Amey Chaugule, and Roy Campbell. 2010. Forenscope: A framework for live forensics. In Proceedings of the 26th Annual Computer Security Applications Conference. ACM, 307--316. Google ScholarDigital Library
- M. Cohen. 2012. WinPMEM.Google Scholar
- Michael Cohen. 2014. Rekall memory forensics framework. DFIR Prague.Google Scholar
- Guilherme Cox, Zi Yan, Abhishek Bhattacharjee, and Vinod Ganapathy. 2018. Secure, consistent, and high-performance memory snapshotting. In Proceedings of the 8th ACM Conference on Data and Application Security and Privacy Conference. ACM, 236--247. Google ScholarDigital Library
- Brendan Dolan-Gavitt. 2007. The VAD tree: A process-eye view of physical memory. Digital Invest. 4 (2007), 62--64. Google ScholarDigital Library
- Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. 2011. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In 2011 IEEE Symposium on Security and Privacy (SP). IEEE, 297--312. Google ScholarDigital Library
- Brendan Dolan-Gavitt, Abhinav Srivastava, Patrick Traynor, and Jonathon Giffin. 2009. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security. ACM, 566--577. Google ScholarDigital Library
- Qian Feng, Aravind Prakash, Heng Yin, and Zhiqiang Lin. 2014. Mace: High-coverage and robust memory analysis for commodity operating systems. In Proceedings of the 30th Annual Computer Security Applications Conference. ACM, 196--205. Google ScholarDigital Library
- Mel Gorman. {n. d.}. Understanding the Linux Virtual Memory Manager. Retrieved from http://www.makelinux.net/books/lvmm/understand007#toc31. Google ScholarDigital Library
- Mariano Graziano, Andrea Lanzi, and Davide Balzarotti. 2013. Hypervisor memory forensics. In International Workshop on Recent Advances in Intrusion Detection. Springer, 21--40. Google ScholarDigital Library
- Michael Gruhn and Felix C. Freiling. 2016. Evaluating atomicity, and integrity of correct memory acquisition methods. Digital Invest. 16 (2016), S1--S10. Google ScholarDigital Library
- Yufei Gu and Zhiqiang Lin. 2016. Derandomizing kernel address space layout for memory introspection and forensics. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy. ACM, 62--72. Google ScholarDigital Library
- Adrien Guinet. 2017. wannakey. Retrieved from https://github.com/aguinet/wannakey.Google Scholar
- J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. 2009. Lest we remember: Cold-boot attacks on encryption keys. Commun. ACM 52, 5 (2009), 91--98. Google ScholarDigital Library
- Brian Hay, Matt Bishop, and Kara Nance. 2009. Live analysis: Progress and challenges. IEEE Secur. Privacy 2 (2009), 30--37. Google ScholarDigital Library
- Owen S. Hofmann, Alan M. Dunn, Sangman Kim, Indrajit Roy, and Emmett Witchel. 2011. Ensuring operating system kernel integrity with OSck. In ACM SIGARCH Computer Architecture News, Vol. 39. ACM, 279--290. Google ScholarDigital Library
- Ewa Huebner, Derek Bem, Frans Henskens, and Mark Wallis. 2007. Persistent systems techniques in forensic acquisition of memory. Digital Invest. 4, 3--4 (2007), 129--137. Google ScholarDigital Library
- Ryan Jones. 2007. Safer live forensic acquisition. Computer Science Laboratory, University of Kent.Google Scholar
- Jesse D. Kornblum. 2007. Using every part of the buffalo in Windows memory analysis. Digital Invest. 4, 1 (2007), 24--29. Google ScholarDigital Library
- Stefan Le Berre. 2018. From corrupted memory dump to rootkit detection. Retrieved from https://exatrack.com/public/Memdump_NDH_2018.pdf.Google Scholar
- Marthie Lessing and Basie Von Solms. 2008. Live forensic acquisition as alternative to traditional forensic processes. In International Conference on IT Incident Management 8 IT Forensic.Google Scholar
- Eugene Libster and Jesse D. Kornblum. 2008. A proposal for an integrated memory acquisition mechanism. ACM SIGOPS Operating Systems Review 42, 3 (2008), 14--20. Google ScholarDigital Library
- Michael Hale Ligh, Andrew Case, Jamie Levy, and Aaron Walters. 2014. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. John Wiley 8 Sons. Google ScholarDigital Library
- Zhiqiang Lin, Junghwan Rhee, Xiangyu Zhang, Dongyan Xu, and Xuxian Jiang. 2011. SigGraph: Brute force scanning of kernel data structure instances using graph-based signatures. In NDSS.Google Scholar
- Holger Macht. 2013. Live memory forensics on android with volatility. Friedrich-Alexander University Erlangen-Nuremberg.Google Scholar
- Mandiant. {n. d.}. Memoryze.Google Scholar
- Jean Marsault. 2017. Volatility-notpetyakeys. Retrieved from https://github.com/Iansus/Volatility-notpetyakeys.Google Scholar
- Lorenzo Martignoni, Aristide Fattori, Roberto Paleari, and Lorenzo Cavallaro. 2010. Live and trustworthy forensic analysis of commodity production systems. In RAID. Springer, 297--316. Google ScholarDigital Library
- Robert J. McDown, Cihan Varol, Leonardo Carvajal, and Lei Chen. 2016. In-depth analysis of computer memory acquisition software for forensic purposes. J. Forensic Sci. 61 (2016), S110--S116.Google ScholarCross Ref
- Andreas Moser and Michael I. Cohen. 2013. Hunting in the enterprise: Forensic triage and incident response. Digital Invest. 10, 2 (2013), 89--98. Google ScholarDigital Library
- Yuto Otsuki, Yuhei Kawakoya, Makoto Iwamura, Jun Miyoshi, and Kazuhiko Ohkubo. 2018. Building stack traces from memory dump of Windows x64. Digital Invest. 24 (2018), S101--S110.Google ScholarCross Ref
- Alessandro Reina, Aristide Fattori, Fabio Pagani, Lorenzo Cavallaro, and Danilo Bruschi. 2012. When hardware meets software: A bulletproof solution to forensic memory acquisition. In Proceedings of the 28th Annual Computer Security Applications Conference. ACM, 79--88. Google ScholarDigital Library
- Nicolas Ruff. 2008. Windows memory forensics. J. Comput. Virol. 4, 2 (2008), 83--100.Google ScholarCross Ref
- Brendan Saltaformaggio. 2018. Convicted by Memory: Recovering spatial-temporal digital evidence from memory images. USENIX Association, Atlanta, GA.Google Scholar
- Brendan Saltaformaggio, Rohit Bhatia, Zhongshu Gu, Xiangyu Zhang, and Dongyan Xu. 2015. GUITAR: Piecing together android app GUIs from memory images. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 120--132. Google ScholarDigital Library
- Brendan Saltaformaggio, Rohit Bhatia, Zhongshu Gu, Xiangyu Zhang, and Dongyan Xu. 2015. Vcr: App-agnostic recovery of photographic evidence from android device memory images. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 146--157. Google ScholarDigital Library
- Brendan Saltaformaggio, Rohit Bhatia, Xiangyu Zhang, Dongyan Xu, and Golden G. Richard III. 2016. Screen after previous screens: Spatial-temporal recreation of android app displays from memory images. In USENIX Security Symposium. 1137--1151. Google ScholarDigital Library
- Bradley Schatz. 2007. BodySnatcher: Towards reliable volatile memory acquisition by software. Digital Invest. 4 (2007), 126--134. Google ScholarDigital Library
- Andreas Schuster. 2006. Searching for processes and threads in Microsoft Windows memory dumps. Digital Invest. 3 (2006), 10--16. Google ScholarDigital Library
- Matthew Simon and Jill Slay. 2010. Recovery of skype application activity data from physical memory. In 2010 5th International Conference on Availability, Reliability, and Security. IEEE, 283--288.Google ScholarCross Ref
- Matthew Phillip Simon and Jill Slay. 2011. Recovery of pidgin chat communication artefacts from physical memory: A pilot test to determine feasibility. In 2011 6th International Conference on Availability, Reliability and Security. IEEE, 183--188. Google ScholarDigital Library
- Arkadiusz Socała and Michael Cohen. 2016. Automatic profile generation for live Linux Memory analysis. Digital Invest. 16 (2016), S11--S24. Google ScholarDigital Library
- Johannes Stüttgen and Michael Cohen. 2013. Anti-forensic resilient memory acquisition. Digital Invest. 10 (2013), S105--S115. Google ScholarDigital Library
- He Sun, Kun Sun, Yuewu Wang, and Jiwu Jing. 2015. Reliable and trustworthy memory acquisition on smartphones. IEEE Trans. Inf. Forensics Secur. 10, 12 (2015), 2547--2561.Google ScholarDigital Library
- Joe Sylve. 2012. Lime-linux memory extractor. In Proceedings of the 7th ShmooCon Conference.Google Scholar
- Stefan Vömel and Felix C. Freiling. 2011. A survey of main memory acquisition and analysis techniques for the windows operating system. Digital Invest. 8, 1 (2011), 3--22. Google ScholarDigital Library
- Stefan Vömel and Felix C. Freiling. 2012. Correctness, atomicity, and integrity: Defining criteria for forensically-sound memory acquisition. Digital Invest. 9, 2 (2012), 125--137.Google ScholarCross Ref
- Stefan Vömel and Johannes Stüttgen. 2013. An evaluation platform for forensic memory acquisition software. Digital Invest. 10 (2013), S30--S40.Google ScholarDigital Library
- Aaron Walters. 2007. The volatility framework: Volatile memory artifact extraction utility framework.Google Scholar
Index Terms
- Introducing the Temporal Dimension to Memory Forensics
Recommendations
Volatile Memory Forensics Acquisition Efficacy: A Comparative Study Towards Analysing Firmware-Based Rootkits
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and SecurityFirmware-based malware is an emerging threat with few obvious mechanisms for detection. There have been multiple cases where the presence of firmware-based malware has been confirmed or strongly suspected, and current mitigations strategies have little ...
An Experimental Assessment of Inconsistencies in Memory Forensics
Memory forensics is concerned with the acquisition and analysis of copies of volatile memory (memory dumps). Based on an empirical assessment of observable inconsistencies in 360 memory dumps of a running Linux system, we confirm a state of overwhelming ...
Enhancing Reliability During Physical Memory Forensics: Strategies and Practices
AbstractOver the past decade, forensic investigators have incorporated memory forensics as a critical part of their investigation. Memory forensics yield substantial results that otherwise would be lost if the traditional “pull the plug” procedure is ...
Comments