Memory Forensics: Review of Acquisition and Analysis Techniques
نویسنده
چکیده
This document presents an overview of the most common memory forensics techniques used in the acquisition and analysis of a system’s volatile memory. Memory forensics rose from obscurity in 2005 in response to a challenge issued by the Digital Forensics Research Workshop (DFRWS). Since then, investigators and researchers alike have begun to recognise the important role that memory forensics can play in a robust investigation. Volatile memory, or Random Access Memory (RAM), contains a wealth of information regarding the current state of a device. Memory forensics techniques examine RAM to extract information such as passwords, encryption keys, network activity, open files and the set of processes and threads currently running within an operating system. This information can help investigators reconstruct the events surrounding criminal use of technology or computer security incidents. APPROVED FOR PUBLIC RELEASE
منابع مشابه
Live Memory Acquisition for Windows Operating Systems:
Cover Page and Abstract Tools and Techniques for Analysis The live acquisition of volatile memory (RAM) is an area in digital forensics that has not garnered much attention until most recently. The importance of the contents of physical memory has always taken a back seat to what is considered more important – the contents of physical media. However, a great deal of information can be acquired ...
متن کاملOn the Viability of Memory Forensics in Compromised Environments
Memory forensics has become a powerful tool for the detection and analysis of malicious software. It provides investigators with an impartial view of a system, exposing hidden processes, threads, and network connections, by acquiring and analyzing physical memory. Because malicious software must be at least partially resident in memory in order to execute, it cannot remove all its traces from R...
متن کاملAcquisition and analysis of compromised firmware using memory forensics
To a great degree, research in memory forensics concentrates on the acquisition and analysis of kerneland user-space software from physical memory to date. With the system firmware, a much more privileged software layer exists in modern computer systems though that has recently become the target in sophisticated computer attacks more often. Compromise strategies used by high profile rootkits ar...
متن کاملA flexible framework for mobile device forensics based on cold boot attacks
Mobile devices, like tablets and smartphones, are common place in everyday life. Thus, the degree of security these devices can provide against digital forensics is of particular interest. A common method to access arbitrary data in main memory is the cold boot attack. The cold boot attack exploits the remanence effect that causes data in DRAM modules not to lose the content immediately in case...
متن کاملBodySnatcher: Towards Reliable Volatile Memory Acquisition by Software
Recently there has been a surge in interest in memory forensics: the acquisition and analysis of the contents of physical memory obtained from live hosts. The emergence of kernel level rootkits, anti-forensics, and the threat of subversion that they pose threatens to undermine the reliability of such memory images and digital evidence in general. In this paper we propose a method of acquiring t...
متن کامل