A proposal for an integrated memory acquisition mechanism

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

A proposal for an integrated memory acquisition mechanism

Full text

Pdf (92 KB)

Source

ACM SIGOPS Operating Systems Review archive
Volume 42 , Issue 3 (April 2008) table of contents

FEATURE: Computer forensics table of contents

Pages 14-20

Year of Publication: 2008

ISSN:0163-5980

Authors

Eugene Libster	ManTech International Corporation, Columbia, MD
Jesse D. Kornblum	ManTech International Corporation, Columbia, MD

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 21, Downloads (12 Months): 170, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1368506.1368510 What is a DOI?

ABSTRACT

Volatile memory forensics has become increasingly prominent in forensic analysis and incident response. Unfortunately there is currently no forensically sound method of acquiring an image of a system's memory without attaching specialized hardware. This paper proposes the addition of a memory acquisition mechanism to the operating system, thereby removing the need to load an external program. The method minimizes the acquisition's impact on the system's state, as well as making it more difficult for malicious programs to avoid detection or interfere with the memory dump. The risks of allowing a full memory capture and some considerations on how this method would interact with rootkits are also discussed.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Becher, M., Dorsneif, M., and Klein, C. N., FireWire: all your memory are belong to us, CanSecWest, Vancouver, BC, Canada, 2005.
	2	Bilby, Darren, DDefyM - Memory Antiforensics Rootkit. http://www.neo.co.nz/projects.html.
	3	Bilby, Darren. Low down and dirty: Anti-forensic rootkits. In Proceedings of Ruxcon 2006. Security-Assessment.com, 2006.
	4	Boileau, Adam, Hit by a Bus: Physical Access Attack with Firewire, Ruxcon, University of Technology Sydney, Australia, 2006.
	5	Butler, Jamie, and Sparks, Sherry, "Shadow Walker" Raising the Bar for Rootkit Detection, BlackHat, Las Vegas, NV, USA, 2005. http://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-sparks-butler.pdf
	6	Carrier, B. D. And Grand, J., A Hardware-Based Memory Acquisition Procedure for Digital Investigations, Digital Investigation, 1(1):50--60, 2004. http://www.grandideastudio.com/files/security/tribble/tribble_memory_acquisition.pdf.
	7	Carvey, Harlan. Windows Forensic Analysis. Syngress, Burlington, MA, 2007.
	8	Combs, Gerald. Wireshark, 2007. http://www.wireshark.org
	9	Digital Forensic Research Workshop 2007 File Carving Challenge. http://dfrws.org/2007/challenge/
	10	Digital Forensic Research Workshop 2008 Memory Analysis Challenge. http://www.dfrws.org/2008/challenge/
	11	Feldman, Mark, RealMem Memory Mode, http://www.nondot.org/sabre/os/files/ProtectedMode/realmem.txt. Downloaded January 24, 2008.
	12	Florio, Elia, When Malware Meets Rootkits, Virus Bulletin, 2005. http://www.virusbtn.com/virusbulletin/archive/2005/12/vb200512-malware-meets-rootkits.dkb
	13	Free Software Foundation. GNU core utilities, 6.9 edition, 2007. http://www.gnu.org/software/coreutils/
	14	Garfinkel, Simson and Basis Technology Corp., AFF: The Advanced Forensic Format, 2007. http://www.afflib.org/
	15	GMER, Stealth MBR rootkit, 2008. http://www2.gmer.net/mbr/
	16	GMG Systems Incorporated. Forensic Acquisition Utilities, 2007. http://www.gmgsystemsinc.com/fau/.
	17	GMG Systems Incorporated. KnTTools with KnTList, 2007. http://www.gmgsystemsinc.com/knttools/.
	18	GNU. NetCat, 2008. http://netcat.sourceforge.net/
	19	Hinton, G., Sager, D., Upton, M., Boggs, D., Carmean, D., Kyker, A., Roussel, P., The Microarchitecture of the Pentium 4 Processor, Intel Technology Journal, 2001. http://www.intel.com/technology/itj/q12001/pdf/art_2.pdf
	20	Greg Hoglund , Jamie Butler, Rootkits: Subverting the Windows Kernel, Addison-Wesley Professional, 2005
	21	Holy Father. Hacker Defender, 2005. http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefender1.00r.html
	22	Howard, Michael, Address Space Layout Randomization in Windows Vista. Microsoft Corporation, May 2006, http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx
	23	Intel Corporation, Execute Disable Bit Functionality Blocks Malware Code Execution, 2007. http://cache-www.intel.com/cd/00/00/14/93/149307_149307.pdf
	24	Kornblum, Jesse D., Using Every Part of the Buffalo in Windows Memory Analysis. Digital Investigation, 4(1):24--29, 2007. http://dx.doi.org/10.1016/j.diin.2006.12.002
	25	Microsoft Corporation, Device\|PhysicalMemory Object, 2007. http://technet2.microsoft.com/windowsserver/en/library/e0f862a3-cf16-4a48-bea5-f2004d12ce351033.mspx
	26	Microsoft, Inside the Windows Vista Kernel: Part 3, Microsoft TechNet Magazine, April 2007. http://www.microsoft.com/technet/technetmag/issues/2007/04/VistaKernel/
	27	Microsoft, Windows feature lets you generate a memory dump file by using the keyboard, 2007, http://support.microsoft.com/kb/244139/en-us
	28	Permeh, Ryan, & Soeder, Derek, eEye BootRoot, BlackHat, Las Vegas, NV, USA, 2005.
	29	Petroni, J. N. L., Walters, A., Fraser, T., and Arbaugh, W. A., FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory, Digital Investigation, 3 (2006), pp.197--210.
	30	Rodream, One Possible Way to Avoid UAC in Windows Vista, 2007. http://www.rootkit.com/newsread.php?newsid=773
	31	Russinovich, M. E., and Solomon, D. A., Microsoft Windows Internals, 4^th Edition, Microsoft Press, Redmond, 2005.
	32	Russinovich, M. E., Inside Native Applications, Microsoft TechNet, 2006. http://technet.microsoft.com/en-us/sysinternals/bb897447.aspx
	33	Rutkowska, Joanna, Beyond The CPU: Defeating Hardware Based RAM Acquisition (part 1: AMD case), Black Hat DC, Washington DC, USA, 2007. http://www.invisiblethings.org/papers/cheating-hardware-memory-acquisition-updated.ppt
	34	Schuster, Andreas. Reconstructing a Binary (1). Personal weblog, 2006. http://computer.forensikblog.de/en/2006/04/reconstructing_a_binary.html
	35	Schuster, Andreas. Searching for processes and threads in microsoft windows memory dumps. Digital Investigation, 3(S):10--16, August 2006. http://dfrws.org/2006/proceedings/2-Schuster.pdf.
	36	Hovav Shacham , Matthew Page , Ben Pfaff , Eu-Jin Goh , Nagendra Modadugu , Dan Boneh, On the effectiveness of address-space randomization, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA [doi>10.1145/1030083.1030124]
	37	Silberman, Peter & C. H. A. O. S., futo, 2007. http://www.uninformed.org/?v=3&a=7&t=sumry
	38	Amit Singh, Mac OS X Internals, Addison-Wesley Professional, 2006
	39	Trusted Computing Group. Trusted Platform Module Specifications, 2007. https://www.trustedcomputinggroup.org/specs/TPM/
	40	Vidstrom, Arne, Memory dumping over FireWire -- UMA issues, 2007. http://www.ntsecurity.nu/onmymind/2006/2006-09-02.html
	41	Volatile Systems. Volatility Framework, 2007. http://www.volatilesystems.com/VolatileWeb/volatility.gsp
	42	Zeichick, Alan, Security Ahoy! Flying the NX Flag on Windows and AMD64 To Stop Attacks, AMD Developer Central, 2007. http://developer.amd.com/TechnicalArticles/Articles/Pages/3312005143.aspx