|
Historically, only file systems were considered as storage where evidence could be found. But what about the volatile memory that contains a huge amount of useful information? Why not dump the content of the memory during data collection from a suspicious computer? How do you analyze the physical memory? Is it possible? I will try to find the answer.
During different forensics presentations everyone surely saw the movies about methods of securing suspicious computers used by the police. In first step, they remove power from the PC and then take care about the machine. It is very easy task, isn't it? But all volatile data and also potential evidence is lost.
I started to look for documents about methods of acquisition and analysis of the volatile memory. But none or very limited information about this subject is available in specialized books and in the internet.
Some methodologies can be found in many incident response guides. These guides describe toolkits that help investigators to collect some data from a compromised machine. But these methods have several disadvantages and are rather useless in serious cases. The ideal solution is dumping a content of whole memory in one step and then starting offline image investigation. I decided to start my investigation from Linux memory images - mostly, because all memory structures are well described and the source code is easily available ;).
Next, I moved to the Windows operating system, which is challenging. But even in this case a lot of interesting information can be extracted from Windows memory image. Moreover, the research provided me some ideas of detecting processes hidden by tools such as root kits.
All detailed information, mentioned in this blog, is well documented in my papers:
"Digital forensics of the physical memory", "An Introduction to Windows memory forensics" which are available at http://forensic.secure.net and my article for SecurityFocus. |
