Advances in memory forensics

Pagani, Fabio

The adoption of memory forensics - the branch of digital forensics that focuses on extracting artifacts from the volatile memory of a compromised system - is rapidly spreading in cyber-security investigations. One of the main reason is that many artifacts that are extracted from system memory cannot be found elsewhere. Therefore, by combining these findings with the results of network and disk analysis, a forensics analysts can better reconstruct the big picture that describes the evolution and the consequences of a computer incident. However, the field of memory forensics is less than two decades old and therefore still has many open challenges and unanswered questions. This thesis provides a new perspective and proposes new solutions for three of the major problems and limitations that affects the area of memory forensics. The first contribution studies the effects non-atomic acquisition methods. The root cause of this problem is simple to understand: while the physical memory is acquired, user and kernel processes are running and therefore the content of the memory is changing. For this reason, the resulting memory dump does not represent a consistent state of the memory in a given point in time, but rather a mix of multiple chunks acquired at a distance of tens of seconds. The second contribution focuses on how to automatically extract a forensics profile from a memory dump. Today, having a valid profile that describes the layout of kernel data structures and the location of certain symbols is a mandatory requirement to perform memory analysis, thus preventing memory forensics to be applied in those scenarios where such profile is not available. The third and last contribution of this thesis proposes a new method to better design and evaluate the heuristics, better known as plugins, that are used to extract information from a memory dump. Nowadays, these plugins are manually written by kernel experts and forensics practitioners. Unfortunately, this manual approach does not provide any guarantee on the quality or on the uniqueness of these rules. For this reasons, this thesis presents a framework that can be used to discover, assess, and compare forensics rules.

Sécurité numérique
Eurecom Ref:
© EURECOM. Personal use of this material is permitted. The definitive version of this paper was published in and is available at :
See also: