fbpx
Wikipedia

Memory forensics

January 01, 1970

Memory forensics is forensic analysis of a computer's memory dump. Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive. Consequently, the memory (RAM) must be analyzed for forensic information.

History edit

Zeroth generation tools edit

Prior to 2004, memory forensics was done on an ad hoc basis, using generic data analysis tools like strings and grep. These tools are not specifically created for memory forensics, and therefore are difficult to use.They also provide limited information. In general, their primary usage is to extract text from the memory dump.[1]

Many operating systems provide features to kernel developers and end-users to actually create a snapshot of the physical memory for either debugging (core dump or Blue Screen of Death) purposes or experience enhancement (Hibernation (computing)). In the case of Microsoft Windows, crash dumps and hibernation had been present since Microsoft Windows NT. Microsoft crash dumps had always been analyzable by Microsoft WinDbg, and Windows hibernation files (hiberfil.sys) are nowadays convertible in Microsoft crash dumps using utilities like MoonSols Windows Memory Toolkit designed by Matthieu Suiche.[citation needed]

First generation tools edit

In February 2004, Michael Ford introduced memory forensics into security investigations with an article in SysAdmin Magazine.[2] In that article, he demonstrated analysis of a memory based rootkit. The process utilized the existing Linux crash utility as well as two tools developed specifically to recover and analyze the memory forensically, memget and mempeek.[citation needed]

In 2005, DFRWS issued a Memory Analysis Forensics Challenge.[3] In response to this challenge, more tools in this generation, specifically designed to analyze memory dumps, were created. These tools had knowledge of the operating system's internal data structures, and were thus capable of reconstructing the operating system's process list and process information.[3]

Although intended as research tools, they proved that operating system level memory forensics is possible and practical.[citation needed]

Second generation tools edit

Subsequently, several memory forensics tools were developed intended for practical use. These include both commercial tools like Responder PRO, Memoryze, MoonSols Windows Memory Toolkit, winen, Belkasoft Live RAM Capturer, etc.; open source tools like Volatility. New features have been added, such as analysis of Linux and Mac OS X memory dumps, and substantial academic research has been carried out.[4][5]

Unlike Microsoft Windows, Mac OS X interest is relatively new and had only been initiated by Matthieu Suiche[6] in 2010 during Black Hat Briefings security conference.[citation needed]

Currently, memory forensics is a standard component of incident response.[7]

Third generation tools edit

Since 2010, we started to see more utilities focusing on the visualization aspect of memory analysis such as MoonSols LiveCloudKd presented[8] by Matthieu Suiche at Microsoft BlueHat Security Briefings that inspired[9] a new feature in Microsoft LiveKd written by Mark Russinovich[10] to allow virtual machines introspection by accessing the memory of guest virtual machine from the host virtual machine in order to either analyze them directly with the assistance of Microsoft WinDbg or to acquire a memory dump in a Microsoft crash dump file format.[citation needed]

References edit

  1. ^ Dan Farmer and Wietse Venema.Forensic Discovery.Chapter 8.
  2. ^ Ford, Michael. (2004) Linux Memory Forensics SysAdmin Magazine.
  3. ^ a b 2013-04-26 at the Wayback Machine
  4. ^ Petroni, N. L., Walters, A., Fraser, T., & Arbaugh, W. A. (2006). FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3(4), 197-210.
  5. ^ Inoue, H., Adelstein, F., & Joyce, R. A. (2011). Visualization in testing a volatile memory forensic tool. Digital Investigation, 8, S42-S51.
  6. ^ Matthieu Suiche. Black Hat Briefings DC 2010.Advanced Mac OS X Physical Memory Analysis.
  7. ^ SANS Institute. Memory Forensics for Incident Response.
  8. ^ Matthieu Suiche. Microsoft Blue Hat Hacker Conference Fall 2010.Blue Screen of Death is Dead.
  9. ^ LiveKd for Virtual Machines Debugging
  10. ^ "LiveKd - Windows Sysinternals".

January 01, 1970
memory, forensics, this, article, includes, list, references, related, reading, external, links, sources, remain, unclear, because, lacks, inline, citations, please, help, improve, this, article, introducing, more, precise, citations, 2023, learn, when, remove. This article includes a list of references related reading or external links but its sources remain unclear because it lacks inline citations Please help improve this article by introducing more precise citations May 2023 Learn how and when to remove this message Memory forensics is forensic analysis of a computer s memory dump Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer s hard drive Consequently the memory RAM must be analyzed for forensic information Contents 1 History 1 1 Zeroth generation tools 1 2 First generation tools 1 3 Second generation tools 1 4 Third generation tools 2 ReferencesHistory editZeroth generation tools edit Prior to 2004 memory forensics was done on an ad hoc basis using generic data analysis tools like strings and grep These tools are not specifically created for memory forensics and therefore are difficult to use They also provide limited information In general their primary usage is to extract text from the memory dump 1 Many operating systems provide features to kernel developers and end users to actually create a snapshot of the physical memory for either debugging core dump or Blue Screen of Death purposes or experience enhancement Hibernation computing In the case of Microsoft Windows crash dumps and hibernation had been present since Microsoft Windows NT Microsoft crash dumps had always been analyzable by Microsoft WinDbg and Windows hibernation files hiberfil sys are nowadays convertible in Microsoft crash dumps using utilities like MoonSols Windows Memory Toolkit designed by Matthieu Suiche citation needed First generation tools edit In February 2004 Michael Ford introduced memory forensics into security investigations with an article in SysAdmin Magazine 2 In that article he demonstrated analysis of a memory based rootkit The process utilized the existing Linux crash utility as well as two tools developed specifically to recover and analyze the memory forensically memget and mempeek citation needed In 2005 DFRWS issued a Memory Analysis Forensics Challenge 3 In response to this challenge more tools in this generation specifically designed to analyze memory dumps were created These tools had knowledge of the operating system s internal data structures and were thus capable of reconstructing the operating system s process list and process information 3 Although intended as research tools they proved that operating system level memory forensics is possible and practical citation needed Second generation tools edit Subsequently several memory forensics tools were developed intended for practical use These include both commercial tools like Responder PRO Memoryze MoonSols Windows Memory Toolkit winen Belkasoft Live RAM Capturer etc open source tools like Volatility New features have been added such as analysis of Linux and Mac OS X memory dumps and substantial academic research has been carried out 4 5 Unlike Microsoft Windows Mac OS X interest is relatively new and had only been initiated by Matthieu Suiche 6 in 2010 during Black Hat Briefings security conference citation needed Currently memory forensics is a standard component of incident response 7 Third generation tools edit Since 2010 we started to see more utilities focusing on the visualization aspect of memory analysis such as MoonSols LiveCloudKd presented 8 by Matthieu Suiche at Microsoft BlueHat Security Briefings that inspired 9 a new feature in Microsoft LiveKd written by Mark Russinovich 10 to allow virtual machines introspection by accessing the memory of guest virtual machine from the host virtual machine in order to either analyze them directly with the assistance of Microsoft WinDbg or to acquire a memory dump in a Microsoft crash dump file format citation needed References edit Dan Farmer and Wietse Venema Forensic Discovery Chapter 8 Ford Michael 2004 Linux Memory Forensics SysAdmin Magazine a b DFRWS 2005 Forensics Challenge Archived 2013 04 26 at the Wayback Machine Petroni N L Walters A Fraser T amp Arbaugh W A 2006 FATKit A framework for the extraction and analysis of digital forensic data from volatile system memory Digital Investigation 3 4 197 210 Inoue H Adelstein F amp Joyce R A 2011 Visualization in testing a volatile memory forensic tool Digital Investigation 8 S42 S51 Matthieu Suiche Black Hat Briefings DC 2010 Advanced Mac OS X Physical Memory Analysis SANS Institute Memory Forensics for Incident Response Matthieu Suiche Microsoft Blue Hat Hacker Conference Fall 2010 Blue Screen of Death is Dead LiveKd for Virtual Machines Debugging LiveKd Windows Sysinternals Retrieved from https en wikipedia org w index php title Memory forensics amp oldid 1173239546, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.