Introducing the temporal dimension to memory forensics

Pagani, Fabio; Fedorov, Oleksii; Balzarotti, Davide
ACM Transactions Privacy and Security (TOPS), Volume 22, N°2, March 2019


Kickstarted by the Digital Forensic Research Workshop (DFRWS) conference in 2005, modern memory analysis is now one of most active areas of computer forensics and it mostly focuses on techniques to locate key operating system data structures and extract high-level information. These techniques work on the assumption that the information inside a memory dump is consistent and the copy of the physical memory was obtained in an atomic operation.

Unfortunately, this is seldom the case in real investigations, where software acquisition tools record information while the rest of the system is running. Thus, since the content of the memory is changing very rapidly, the resulting memory dump may contain inconsistent data. While this problem is known, its consequences are unclear and often overlooked. Unfortunately, errors can be very subtle and can affect the results of an analysis in ways that are difficult to detect.

In this article, we argue that memory forensics should also consider the time in which each piece of data was acquired. This new temporal dimensionprovides a preliminary way to assess the reliability of a given result and opens the door to new research directions that can minimize the effect of the acquisition time or detect inconsistencies. To support our hypothesis, we conducted several experiments to show that inconsistencies are very frequent and can negatively impact an analysis. We then discuss modifications we made to popular memory forensic tools to make the temporal dimension explicit during the analysis and to minimize its effect by resorting to a locality-based acquisition.


DOI
HAL
Type:
Journal
Date:
2019-02-27
Department:
Sécurité numérique
Eurecom Ref:
5827
Copyright:
© ACM, 2019. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM Transactions Privacy and Security (TOPS), Volume 22, N°2, March 2019
 http://dx.doi.org/10.1145/3310355

PERMALINK : https://www.eurecom.fr/publication/5827