HOME

TheInfoList



Click Here for Items Related To - Memory forensics
OR:
Memory forensics on:   [Wikipedia]   [Google]   [Amazon]

Memory forensics is
forensic Forensic science combines principles of law and science to investigate criminal activity. Through crime scene investigations and laboratory analysis, forensic scientists are able to link suspects to evidence. An example is determining the time and ...
analysis of a
computer A computer is a machine that can be Computer programming, programmed to automatically Execution (computing), carry out sequences of arithmetic or logical operations (''computation''). Modern digital electronic computers can perform generic set ...
's
memory dump In computing, a core dump, memory dump, crash dump, storage dump, system dump, or ABEND dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise termin ...
. Its primary application is investigation of advanced cyberattacks which are stealthy enough to avoid leaving data on the computer's
hard drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating hard disk drive platter, pla ...
. Consequently, the
memory Memory is the faculty of the mind by which data or information is encoded, stored, and retrieved when needed. It is the retention of information over time for the purpose of influencing future action. If past events could not be remembe ...
(e.g. RAM) must be analyzed for forensic information.


History


Zeroth generation tools

Until the early 2000s, memory forensics was done on an ad hoc basis (termed ''unstructured analysis''), often using generic data analysis tools like strings and
grep grep is a command-line utility for searching plaintext datasets for lines that match a regular expression. Its name comes from the ed command g/re/p (global regular expression search and print), which has the same effect. grep was originally de ...
. These tools are not specifically created for memory forensics, and therefore are difficult to use.They also provide limited information. In general, their primary usage is to extract text from the memory dump. Many
operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...
s provide features to kernel developers and end-users to actually create a snapshot of the physical memory for either
debugging In engineering, debugging is the process of finding the Root cause analysis, root cause, workarounds, and possible fixes for bug (engineering), bugs. For software, debugging tactics can involve interactive debugging, control flow analysis, Logf ...
(e.g.
core dump In computing, a core dump, memory dump, crash dump, storage dump, system dump, or ABEND dump consists of the recorded state of the working Computer storage, memory of a computer program at a specific time, generally when the program has crash (com ...
or
Blue Screen of Death The blue screen of death (BSoD) or blue screen error, blue screen, fatal error, bugcheck, and officially known as a stop erroris a fatal system error, critical error screen displayed by the Microsoft Windows operating systems to indicate a cr ...
) purposes or experience enhancement (e.g.
hibernation Hibernation is a state of minimal activity and metabolic reduction entered by some animal species. Hibernation is a seasonal heterothermy characterized by low body-temperature, slow breathing and heart-rate, and low metabolic rate. It is mos ...
). In the case of
Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...
, crash dumps and hibernation had been present since Microsoft
Windows NT Windows NT is a Proprietary software, proprietary Graphical user interface, graphical operating system produced by Microsoft as part of its Windows product line, the first version of which, Windows NT 3.1, was released on July 27, 1993. Original ...
. Microsoft crash dumps had always been analyzable by Microsoft
WinDbg WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode. Overview Like the ...
, and Windows hibernation files ( hiberfil.sys) are nowadays convertible in Microsoft crash dumps using utilities like MoonSols Windows Memory Toolkit designed by Matthieu Suiche.


First generation tools

One significant step towards ''structured analysis'' was in a February 2004 article in SysAdmin Magazine, where Michael Ford demonstrated a more rigorous practice of memory forensics. In that article, he analyzes a memory based
rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exist ...
utilizing the existing Linux crash utility as well as two tools developed specifically to recover and analyze the memory forensically, memget and mempeek. In 2005, DFRWS issued a Memory Analysis Forensics Challenge. In response to this challenge, more tools in this generation, specifically designed to analyze memory dumps, were created - such as MoonSols, KntTools, the FATKit, VolaTools, and Volatility. These tools had knowledge of the operating system's internal
data structures In computer science, a data structure is a data organization and storage format that is usually chosen for efficient access to data. More precisely, a data structure is a collection of data values, the relationships among them, and the functi ...
, and were thus capable of reconstructing the operating system's
process A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic. Things called a process include: Business and management * Business process, activities that produce a specific s ...
list and process information. Although intended as research tools, they proved that operating system level memory forensics is possible and practical.


Second generation tools

Subsequently, several memory forensics tools were developed intended for practical use. These include both commercial tools like Responder PRO, Memoryze, winen, Belkasoft Live RAM Capturer, etc.. New features have been added, such as analysis of Linux and Mac OS X memory dumps, and substantial
academic research Research is creative and systematic work undertaken to increase the stock of knowledge. It involves the collection, organization, and analysis of evidence to increase understanding of a topic, characterized by a particular attentiveness to ...
has been carried out. Unlike Microsoft Windows,
Mac OS X macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...
interest is relatively new and had only been initiated by Matthieu Suiche in 2010 during
Black Hat Briefings Black Hat Briefings (commonly referred to as Black Hat) is a computer security conference that provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world. Black Hat brings together ...
security conference. Currently, memory forensics is a standard component of incident response.


Third generation tools

Beginning 2010, more utilities focused on the visualization aspect of memory analysis, such as MoonSols LiveCloudKd presented by Matthieu Suiche at Microsoft BlueHat Security Briefings that inspired a new feature in Microsoft LiveKd written by
Mark Russinovich Mark Eugene Russinovich (born December 22, 1966) is a Spanish-born American software engineer and author who serves as CTO of Microsoft Azure. He was a cofounder of software producers Winternals before Microsoft acquired it in 2006. Early lif ...
to allow virtual machines introspection by accessing the memory of guest virtual machine from the host virtual machine in order to either analyze them directly with the assistance of Microsoft
WinDbg WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode. Overview Like the ...
or to acquire a memory dump in a Microsoft crash dump file format.


See also

*
Computer forensics Computer forensics (also known as computer forensic science) is a branch of digital forensics, digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital me ...
*
Data breach A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information". Attackers have a variety of motives, from financial gain to political activism, political repression, and espionage. There ...
*
Data erasure Data erasure (sometimes referred to as data clearing, data wiping, or data destruction) is a software-based method of data sanitization that aims to completely destroy all electronic data residing on a hard disk drive or other digital media by ...
*
Data loss Data loss is an error condition in information systems in which information is destroyed by failures (like failed spindle motors or head crashes on hard drives) or neglect (like mishandling, careless handling or storage under unsuitable conditions) ...
*
Data recovery In computing, data recovery is a process of retrieving deleted, inaccessible, lost, corrupted, damaged, overwritten or formatted data from computer data storage#Secondary storage, secondary storage, removable media or Computer file, files, when ...
*
Data remanence Data remanence is the residual representation of digital data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of ...
* Data sanitization *
Digital forensics Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery, investigation, examination, and analysis of material found in digital devices, often in relation to mobile devices and com ...
* File carving


References

{{Reflist


External links


The History of Memory Forensics & The Volatility Framework
Computer forensics