The traditional approach to memory forensics heavily relies on a deep understanding of the internal workings of the operating system. With the proliferation of embedded devices, IoT devices, and cloud-hosted virtual machines, there is a growing diversity of operating systems and CPU architectures. Unfortunately, existing forensics tools often lack support for these varied systems, requiring substantial effort to extend their capabilities. When confronted with a memory dump from an uncommon or unknown operating system, analysts are typically limited to primitive tools that can only extract basic information. To extract more comprehensive structural data, analysts often face the arduous task of reverse-engineering the kernel binary, if available. These limitations hinder the applicability of memory forensics on multiple operating systems. To address this problem, this thesis introduces, for the first time, the concept of "zero- knowledge memory forensics".
This approach aims to conduct memory forensics analysis without any prior knowledge of the underlying OS. While profiles, custom rules, and dynamic introspection remain valuable techniques that yield better results when applicable, we argue that our new approach is essential to rapidly expand memory analysis to a wider range of target systems.
We begin by quantifying the impact of the memory dumping process and the non-atomicity of memory dumps on the recoverability and consistency of virtual address spaces and kernel data structures.
Then, we propose a method to reconstruct the kernel address space in an OS-agnostic manner solely based on hardware configuration information. Furthermore, we show that it is possible to identify kernel pointers and reconstruct in-memory kernel data structures such as lists and trees using only OS-agnostic properties related to their topology.