Memory forensics is

forensic Forensic science, also known as criminalistics, is the application of science to Criminal law, criminal and Civil law (legal system), civil laws, mainly—on the criminal side—during criminal investigation, as governed by the legal standard ...

analysis of a computer's

memory dump In computing, a core dump, memory dump, crash dump, storage dump, system dump, or ABEND dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise termina ...

. Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's

hard drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magneti ...

. Consequently, the memory (

RAM Ram, ram, or RAM may refer to: Animals * A male sheep * Ram cichlid, a freshwater tropical fish People * Ram (given name) * Ram (surname) * Ram (director) (Ramsubramaniam), an Indian Tamil film director * RAM (musician) (born 1974), Dutch * Raj ...

) must be analyzed for forensic information.

History

Zeroth generation tools

Prior to 2004, memory forensics was done on an ''ad hoc'' basis, using generic data analysis tools like strings and

grep grep is a command-line utility for searching plain-text data sets for lines that match a regular expression. Its name comes from the ed command ''g/re/p'' (''globally search for a regular expression and print matching lines''), which has the sa ...

. These tools are not specifically created for memory forensics, and therefore are difficult to use. They also provide limited information. In general, their primary usage is to extract text from the memory dump. Many

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ef ...

s provide features to kernel developers and end-users to actually create a snapshot of the physical memory for either

debugging In computer programming and software development, debugging is the process of finding and resolving '' bugs'' (defects or problems that prevent correct operation) within computer programs, software, or systems. Debugging tactics can involve i ...

(

core dump In computing, a core dump, memory dump, crash dump, storage dump, system dump, or ABEND dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise termina ...

or Blue Screen of Death) purposes or experience enhancement (

Hibernation (computing) Hibernation (also known as suspend to disk, or Safe Sleep on Macintosh computers) in computing is powering down a computer while retaining its state. When hibernation begins, the computer saves the contents of its random access memory (RAM) to a ha ...

). In the case of

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for se ...

, crash dumps and hibernation had been present since Microsoft Windows NT. Microsoft crash dumps had always been analyzable by Microsoft

WinDbg WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation ...

, and Windows hibernation files (hiberfil.sys) are nowadays convertible in Microsoft crash dumps using utilities like MoonSols Windows Memory Toolkit designed by Matthieu Suiche.

First generation tools

In February 2004, Michael Ford introduced memory forensics into security investigations with an article in SysAdmin Magazine.Ford, Michael. (2004
Linux Memory Forensics
SysAdmin Magazine. In that article, he demonstrated analysis of a memory based rootkit. The process utilized the existing Linux crash utility as well as two tools developed specifically to recover and analyze the memory forensically, memget and mempeek. In 2005, DFRWS issued a Memory Analysis Forensics Challenge.DFRWS 2005 Forensics Challenge
In response to this challenge, more tools in this generation, specifically designed to analyze memory dumps, were created. These tools had knowledge of the

's internal

data structures In computer science, a data structure is a data organization, management, and storage format that is usually chosen for efficient access to data. More precisely, a data structure is a collection of data values, the relationships among them, a ...

, and were thus capable of reconstructing the

process A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic. Things called a process include: Business and management * Business process, activities that produce a specific s ...

list and process information. Although intended as research tools, they proved that

level memory forensics is possible and practical.

Second generation tools

Subsequently, several memory forensics tools were developed intended for practical use. These include both commercial tools like Responder PRO, Memoryze, MoonSols Windows Memory Toolkit, winen, Belkasoft Live RAM Capturer, etc.;

open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...

tools like Volatility. New features have been added, such as analysis of Linux and Mac OS X memory dumps, and substantial

academic research Research is " creative and systematic work undertaken to increase the stock of knowledge". It involves the collection, organization and analysis of evidence to increase understanding of a topic, characterized by a particular attentiveness ...

has been carried out. Unlike Microsoft Windows,

Mac OS X macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac (computer), Mac computers. Within the market of ...

interest is relatively new and had only been initiated by Matthieu Suiche in 2010 during

Black Hat Briefings Black Hat Briefings (commonly referred to as Black Hat) is a computer security conference that provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world. Black Hat brings together a ...

security conference. Currently, memory forensics is a standard component of incident response.

Third generation tools

Since 2010, we started to see more utilities focusing on the visualization aspect of memory analysis such as MoonSols LiveCloudKd presented by Matthieu Suiche at Microsoft BlueHat Security Briefings that inspiredLiveKd for Virtual Machines Debugging
/ref> a new feature in Microsoft LiveKd written by

Mark Russinovich Mark Eugene Russinovich (born December 22, 1966) is a Spanish-born American software engineer and author who serves as CTO of Microsoft Azure. He was a cofounder of software producers Winternals before it was acquired by Microsoft in 2006. Ea ...

to allow virtual machines introspection by accessing the memory of guest virtual machine from the host virtual machine in order to either analyze them directly with the assistance of Microsoft

or to acquire a memory dump in a Microsoft crash dump file format.

References

{{Reflist Computer forensics