DOCSLIB.ORG

Memory Analysis and What Data Can Be Extracted from Memory Vijaya Lakshmi1, Dr

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

ISSN 2321 3361 © 2019 IJESC Research Article Volume 9 Issue No. 6 Memory Analysis and what Data can be Extracted from Memory Vijaya Lakshmi1, Dr. Neetu Sharma2 M.Tech Scholar1, HOD2 Department of Computer Forensic & Information Security1, Department of Computer Science & Engineering2 Ganga Institute of Technology and Management, Jhajjar Haryana, India Abstract: At present era of digital world, modern criminal investigators face an increasing number of computer-related crimes. This requires the application of digital forensic science. Digital investigation is becoming an increasing concern. Many digital forensic tools are being developed to deal with the challenge of investigating digital crimes. The major challenge that digital forensics practitioners face is the complicated task of acquiring an understanding of the digital data residing in electronic devices. Acquisition of memory from digital system or device is the first step in digital forensics analysis. Before any analysis can be done, we need to acquire the memory in the first place. Acquisition of volatile memory is one of the vital steps of digital forensics process. There are a number of commercial utilities to acquire memory, but there is also a few free and even open source equivalents. In this article, I am going to review some memory acquisition tools that are designed to deploy on a USB stick for quick incident response operations. Currently, this task requires significant experience and background to correctly analyze and aggregate the data that the tools provide from the digital artifacts. Most of the presently available tools, shows their results in text files or tree lists. It is up to the practitioner to mentally capture a global understanding of the state of the device at the time of seizure and find the useful items of evidentiary interest. This research focuses on the application of memory acquisition techniques and tools for the analysis of digital forensic evidence. Finally, a comparison based on total memory acquisition size and time elapsed for acquisition has also been done and presented through a chart. The results provide the necessary details for verifying digital artifacts. As per this paper, I have performed on windows platform only. This can be modified to support various digital forensic target platforms including Mac OS X, Linux, and Android. Keywords: Memory forensic, Memory Imaging, Memory acquisition, Raw memory dump, Incident Response, Digital artifacts. 1. INTRODUCTION Physical memory analysis from Windows systems can provide Memory Analysis is a process & technique of using a ‘memory important information about the target operating system. This image’ to get information about the overall state of a computer, field is still very new, but holds great promise. the programs running on it, the operating system and other digital artifacts and network connectivity etc. Actually Memory 1.1. Memory Imaging Analysis is the domain of Memory forensics, sometimes referred Memory imaging is the process of making a bit-by-bit copy of to as memory analysis that refers to the analysis of volatile data memory. In principle it is similar to Disk Imaging. A ‘memory in a computer’s memory dump. It is forensic analysis of a image’ is simply the view of the current state and components of computer's memory dump. The primary application of memory the systems memory at a certain time. It is something like an analysis is inspecting computer attacks. These attacks are image (or a photocopy) to be able to examine it afterwards. The stealthy enough to avoid leaving data on the computer's hard resulting copy is stored in a ‘Forensics image format’. Some of drive. For this,(RAM) or the memory (whether primary or other these formats have means to differentiate between an image of memory drives and devices) must be analyzed for forensic memory and (e.g.) that of a disk. For physical memory it is information. By performing memory forensics analysis, common to have sections that are not accessible, e.g. because of information security professionals investigate and identify memory-mapped I/O. The physical memory of computers can be attacks or malicious behaviors that do not leave easily detectable imaged and analyzed using a variety of tools. The procedure for tracks on hard drive data. Because the analysis is highly accessing physical memory varies between operating systems, dependent on the operating system, it has been divided into the Hence, there are different tools for different operating systems. following and based on it there are different and versatile Once memory has been imaged, it is subjected to memory memory imaging and memory acquisition tools to perform and analysis to ascertain the state of the system, extract artifacts, and analyze memory to retrieve various types of static and running so on. data. 1.2. Practical Issue One of the most annoying problems for memory imaging is verifying that the image has been created correctly. That is, verifying that it reflects the actual contents of memory at the time of its creation. Because the contents of memory are constantly changing on a running system, the process can be IJESC, June 2019 23058 http://ijesc.org/ repeated but the results will never--to a high degree of WinDbg or by acquiring a memory dump in a Microsoft crash probability--be the same. Thus, repeating the acquisition and dump file format. comparing the results is not a feasible means of validating correct image creation. Memory analysis can reveal whether the 2.2 Some Research Review image's contents are consistent with the known layout and 2.2.1In reference to the research paper by Stephan et al (2011), structure of a given operating system, as well as answering other the authors illustrated the process (figure 1) for extracting the questions, but it cannot answer the question as to whether the graphic content information from the memory dump of windows image accurately reflects the system from which it was taken at based machine (Kiltz, Hoppe, & Dittmann, 2009). In addition, the time it was taken. the authors also developed a forensic model used for this research. The extraction process (figure 1) used by Stephan et al 2. LITERATURE REVIEW (2011) involves strategic preparation, operational preparation, data gathering, data investigation, data analysis, and final 2.1 History and Background documentation with evidence presentation. Zeroth Generation - Before 2004,generic data analysis tools like strings and grep were used and memory forensics was done on an ad hoc basis. These tools are a bit difficult to use as they are not particularly created for memory forensics. They also provide limited information. Generally, their primary usage is to extract the text from the memory dump. There are several other operating systems that provide features to kernel developers and Figure.1.Extraction Process of graphic Content from also to the end-users to create a snapshot of the physical memory memory dump for either purpose of debugging (core dump or Blue Screen of According to the author, forensically relevant data types are Death) or experience enhancement (Hibernation (computing)). hardware data, raw data and details about data, configuration In the case of Microsoft Windows, crash dumps and hibernation data, communication protocol data, process data, session data had been present since Microsoft Windows NT. Microsoft crash and user data. Along with this, the other tools that were used to dumps had always been analyzable by Microsoft WinDbg, and retrieve the graphic content from the memory dump were Irfan Windows hibernation files (hiberfil.sys) are nowadays View and volatility framework (Kiltz et al., 2009). convertible in Microsoft crash dumps using utilities like “MoonSols” (now comes by Comae technologies) Windows 2.3 Recovering Windows registry information from memory Memory Toolkit designed by Matthieu Suiche. dump 1rst Generation -In February 2004, Michael Ford introduced Windows registry is significant area for recovering and memory forensics into security investigations with an article in analyzing potential evidence about each event on a windows Sys Admin Magazine. In that article, he verified analysis of a machine. Shuhui Zhang et al (2011) have proposed a method for memory based root kit. Here its process utilized the existing recovering windows registry information from the memory Linux crash utility along with two tools particularly developed dump using Hive files. As the hive files contain all the necessary for recovery and analysis of the memory forensically, memget data including handles, metadata, objects, keys, data structures and mem peek. DFRWS, in 2005 issued a Memory Analysis and file maps which are potentially significant for forensic Forensics Challenge. In response to the present challenge, memory analysis. Similarly, another paper was written by additional tools during this generation, specifically designed to Farmer et al (n.d.) on forensic analysis of windows registry. The analyze memory dumps, were created. These tools had authors, in this research paper have illustrated forensic analysis information of the in operation system's internal data structures, by directly viewing the windows registry and not analyzing from and were so capable of reconstructing the operating system's the memory dump. The author has analyzed and documented the process list and process information. Although intended as possible evidences that could be recovered from windows research tools, these tools proved that operating system level registry such as: memory forensics is possible and also practical. 2nd Generation - Development of several memory forensics .Registry Hive Locations tools were intended for the practical. These tools include both • MRULists (Most Recently UsedList) the commercial tools like “Memoryze”, “MoonSols” Windows • Wireless Networks details Memory Toolkit, open source tools like “Volatility”. Some new • Network details features were added, such as analysis of Linux and Mac OS X • LAN computer connected through the machine memory dumps, and substantial academic research has been • Portable devices connected carried out.As of now, memory forensics is a standard • Artefacts of IE component of incident response.
Recommended publications
  • User Space Memory Analysis

    User Space Memory Analysis

    User Space Memory Analysis Master's Thesis University of Twente Author: Committee: Edwin Smulders dr. J.Y. Petit prof. dr. P.H. Hartel R.B. van Baar, MSc (NFI) November 13, 2013 Contents 1 Introduction 5 1.1 Digital Forensics . .5 1.2 Memory Forensics . .5 1.3 Organisation of this document . .6 2 Problem Statement and Research Questions 7 2.1 Problem Statement . .7 2.2 Research Questions . .8 3 Related Work 11 3.1 Acquisition . 11 3.2 Platforms . 12 3.3 Multi-platform . 15 3.4 Userland . 15 3.5 Virtual Machines . 16 3.6 Other . 16 3.7 Conlusion . 17 4 Methodology 19 4.1 Introduction . 19 4.2 Methods . 19 4.3 Summary . 25 5 Data Acquisition 27 5.1 Virtualbox . 27 5.2 Operating Systems . 27 5.3 Applications . 28 6 Core Implementation 29 6.1 Registers . 29 6.2 System Calls . 30 6.3 Reverse engineering the PLT . 31 6.4 Stacks and Calling Conventions . 33 6.5 Optimizations . 35 3 6.6 Finding Main . 37 6.7 Limitations . 39 7 Considerations 41 7.1 Compile Options . 41 7.2 Static compilation . 43 7.3 Stripped executables . 43 8 Case Examples 45 8.1 Python networking test case . 45 8.2 Analysis of the steam locomotive . 47 9 Results and evaluation 51 9.1 Test data - Ubuntu 13.04 . 51 9.2 Tests and evaluation of swap use . 52 9.3 Registers . 53 9.4 System call analysis . 55 9.5 Stack analysis . 55 9.6 Register call analysis . 56 9.7 Method weaknesses .
  • The Acquisition and Analysis of Random Access Memory

    The Acquisition and Analysis of Random Access Memory

    Currently “In Submission” to JDFP (some content may change before publication) THE ACQUISITION AND ANALYSIS OF RANDOM ACCESS MEMORY Timothy Vidas Naval Postgraduate School Monterey, CA ABSTRACT Mainstream operating systems (and the hardware they run on) fail to purge the contents of portions of volatile memory when that portion is no longer required for operation. Similar to how many file systems simply mark a file as deleted instead of actually purging the space that the file occupies on disk, Random Access Memory (RAM) is commonly littered with old information in unallocated space waiting to be reused. Additionally, RAM contains constructs and caching regions that include a wealth of state related information. The availability of this information along with techniques to recover it, provide new methods for investigation. This article discusses the benefits and drawbacks of traditional incident response methods compared to an augmented model that includes the capture and subsequent analysis of a suspect system’s memory, provides a foundation for analyzing captured memory, and provides suggestions for related work in an effort to encourage forward progress in this relatively new area of digital forensics. KEYWORDS: memory, random access memory, memory analysis, digital forensics, Windows forensics, incident response, best practices Tim Vidas is a Research Associate at the Naval Postgraduate School. He has been focusing research in the field of digital forensics for a few years and is now primarily working on in the area of trusted operating systems and kernels. In addition to research, he likes to teach and has a wide set of IT related interests. He maintains several affiliations like ACM, CERT, and Infragard and holds several certifications such as CISSP, Sec+ and EnCE.
  • On the Viability of Memory Forensics in Compromised Environments

    On the Viability of Memory Forensics in Compromised Environments

    On the Viability of Memory Forensics in Compromised Environments Zur Praktikabilit¨atvon Hauptspeicherforensik in kompromittierten Umgebungen Der Technischen Fakult¨atder Friedrich-Alexander-Universit¨at Erlangen-N¨urnberg zur Erlangung des Grades DOKTOR-INGENIEUR vorgelegt von Johannes Stuettgen aus Herdecke Als Dissertation genehmigt von der Technischen Fakult¨atder Friedrich-Alexander-Universit¨at Erlangen-N¨urnberg Tag der m¨undlichen Pr¨ufung: 28.05.2015 Vorsitzende des Promotionsorgans: Prof. Dr.-Ing. habil. Marion Merklein Gutachter: Prof. Dr.-Ing. Felix Freiling Prof. Dr. Michael Meier Abstract Memory forensics has become a powerful tool for the detection and analysis of ma- licious software. It provides investigators with an impartial view of a system, expos- ing hidden processes, threads, and network connections, by acquiring and analyzing physical memory. Because malicious software must be at least partially resident in memory in order to execute, it cannot remove all its traces from RAM. However, the memory acquisition process is vulnerable to subversion in compromised envi- ronments. Malicious software can employ anti-forensic techniques to intercept the acquisition and filter memory contents while they are copied. In this thesis, we analyze 12 popular memory acquisition tools for Windows, Linux, and Mac OS X, and study their implementation in regard to how they enumerate and map memory. We find that all of the analyzed programs use the operating system to perform these tasks, and further illustrate this by implementing an open source memory acquisition framework for Mac OS X. In a survey of kernel rootkit techniques, that prevent or filter physical memory access, we show that all 12 tested programs are vulnerable to anti-forensics, because they rely on the operating system for critical functions.
  • Memory Forensic

    Memory Forensic

    [Jani et. al., Vol.5 (Iss.2: SE): February, 2018] ISSN: 2454-1907 [Communication, Integrated Networks & Signal Processing-CINSP 2018] DOI: 10.29121/ijetmr.v5.i2.2018.618 MEMORY FORENSIC: ACQUISITION AND ANALYSIS OF MEMORY AND ITS TOOLS COMPARISON Mital Parekh 1, Snehal Jani *2 1 Student in M.Tech, Department of Cyber Security, Raksha Shakti University, Ahmedabad, Gujarat, India *2 Assistant Professor, Amity School of Applied Sciences, Amity University Madhya Pradesh, Gwalior, India Abstract: The enhancement of technology has led to a considerable amount of growth in number of cases pertaining to cyber-crime and has raised an enormous challenge to tackle it effectively. There are various cyber forensic techniques and tools used to recover data from the devices to tackle cyber-crime. Present research paper focuses on performing memory forensic and analyzes the memory which contains many pieces of information relevant to forensic investigation, such as username, password, cryptographic keys, deleted files, deleted logs, running processes; that can be helpful to investigate the cyber-crime pining down the accused. The three main steps followed in memory forensic are acquiring, analyzing and recovering. Recovery of the evidences of crime from the volatile memory can be possible with the knowledge of different tools and techniques used in memory forensic. However, it is always tough to analyze volatile memory as it stays for a very short period. Not all tools can be used for memory forensic in every situation and therefore, it is important to have the knowledge of tools before applying to solve a particular cyber-crime. It is yet to establish on using a single tool for complete investigation, however, most of the tools used are successful in providing reasonable evidences.
  • The Secret Lives of Hard Drives

    The Secret Lives of Hard Drives

    4:mag TIPS ON BREAKING INto THE FIELD MAC MALWARE. ARE YOU READY? You’ve heard THE RUMORS, BUT HOW MUCH DO YOU REALLY KNOW ABOUT... THE SECRET LIVES OF HARD DRIVES Issue 1 Q2 2013 4:HOME contents 4 events 5 editorial 6 a call to action 7 10 device and application data from ios devices 13 taking a byte out of apple computers 16 win - forensic contest 18 starting out and getting ahead 13 23 forensic 4cast awards 2013 25 pro-file 28 hard drive secrets revealed 34 4:ward Contents Pictures Courtesy of http://www.flickr.com/photos/razor512/7695485686/ http://www.flickr.com/photos/zoliblog/2214058583/ Cover Photo Courtesy of http://www.flickr.com/photos/amagill/89623319/ 28 4:mag - issue #1 Q2 2013 3 4:Take a look at EVENthe events that are coming up for every forensicator’sTS calendar AccessData Users Conference - Las Vegas, NV - April 23-25 Lee Whitfield Teaching SANS 408 - Toronto, Canada - April 29 - May 4 Subtle Enough? CEIC - Orlando, FL - May 19-22 Mobile Forensics World - Myrtle Beach, SC - Jun 2-5 FIRST Conference - Bangkok, Thailand - Jun 16-21 SANS Digital Forensics and Incident Respone Summit - Austin, TX - July 9-10 HTCIA International Conference - Summerlin, NV - September 8-11 SANS Forensics - Prague - October 6-12 Sleuthkit and Open Source Forensics Conference - Chantilly, VA - Nov 4-5 F3 Annual Workshop - Tortworth Court, UK - November 5-7 Have we missed anything? If you know of something happening and you think that it would interest other forensicators please let us know by emailing [email protected] Picture courtesy of http://www.flickr.com/photos/ter-burg/5808816530/ 4 4:mag - issue #1 Q2 2013 4:EVENTS 4:whichED often causes me to loseIT brand new theories or products focus and become upset when that are completely original.
  • Windows Memory Forensics

    Windows Memory Forensics

    J Comput Virol (2008) 4:83–100 DOI 10.1007/s11416-007-0070-0 SSTIC 2007 BEST ACADEMIC PAPERS Windows memory forensics Nicolas Ruff Received: 5 January 2007 / Revised: 15 July 2007 / Accepted: 2 October 2007 / Published online: 1 November 2007 © Springer-Verlag France 2007 Abstract This paper gives an overview of all known “live” Web site) provided decryption key (for more information memory collection techniques on a Windows system, and on cryptovirology, see [6–8]). In this case, “offline” analy- freely available memory analysis tools. Limitations and sis might be impossible if no key is available at the time of known anti-collection techniques will also be reviewed. Anal- analysis. ysis techniques will be illustrated through some practical That is why there has been a lot of interest in “live” foren- examples, drawn from past forensics challenges. This paper sics techniques in the last 3years, starting with DFRWS 2005 is forensics-oriented, but the information provided informa- [28] challenge. tion will also be of interest to malware analysts fighting This paper encompasses the following topics: against stealth rootkits. – “Live” memory collection tools; – Analysis tools; 1 Introduction – “Real life” examples; – Known anti-forensics techniques. “In memory only” intrusion came out from the lab to the field through the release of [Meterpreter] in 2004 [4]. Other tools (like Immunity [CANVAS] and Core [IMPACT]) [1,2]have been offering the same capability for a long time, but those 2 Live memory collection tools were specialized and expensive. On the other hand, Metasploit is a freely available Open Source intrusion frame- Collecting “live” memory is not an easy task.