Advertisement

A Compiled Memory Analysis Tool

  • James Okolica
  • Gilbert Peterson
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 337)

Abstract

The analysis of computer memory is becoming increasingly important in digital forensic investigations. Volatile memory analysis can provide valuable indicators on what to search for on a hard drive, help recover passwords to encrypted hard drives and possibly refute defense claims that criminal activity was the result of a malware infection. Historically, digital forensic investigators have performed live response by executing multiple utilities. However, using a single tool to capture and analyze computer memory is more efficient and has less impact on the system state (potential evidence). This paper describes CMAT, a self-contained tool that extracts forensic information from a memory dump and presents it in a format that is suitable for further analysis. A comparison of the results obtained with utilities that are commonly employed in live response demonstrates that CMAT provides similar information and identifies malware that is missed by the utilities.

Keywords

Live response memory analysis rootkit detection 

References

  1. 1.
    A. Boileau, Hit by a bus: Physical access attacks with FireWire (www.storm.net.nz/static/files/ab_firewire_rux2k6-final.pdf), 2006.Google Scholar
  2. 2.
    S. Brenner, B. Carrier and J. Henninger, The Trojan Horse Defense in Cybercrime Cases, CERIAS Tech Report 2005-15, Center for Education and Research in Information Assurance and Security, Purdue University, West Lafayette, Indiana, 2005.Google Scholar
  3. 3.
    B. Carrier, File System Forensic Analysis, Pearson, Upper Saddle River, New Jersey, 2005.Google Scholar
  4. 4.
    B. Carrier and J. Grand, A hardware-based memory acquisition procedure for digital investigations, Digital Investigation, vol. 1(1), pp. 50–60, 2004.CrossRefGoogle Scholar
  5. 5.
    H. Carvey, Windows Forensic Analysis, Syngress, Burlington, Massachusetts, 2007.Google Scholar
  6. 6.
    B. Dolan-Gavitt, Finding kernel global variables in Windows (mo yix.blogspot.com/2008/04/finding-kernel-global-variables-in.html), April 16, 2008.Google Scholar
  7. 7.
    B. Dolan-Gavitt, Forensic analysis of the Windows registry in memory, Digital Investigation, vol. 5(S), pp. S26–S32, 2008.CrossRefGoogle Scholar
  8. 8.
    B. Dolan-Gavitt, Linking processes to users (moyix.blogspot.com /2008/08/linking-processes-to-users.html), August 16, 2008.Google Scholar
  9. 9.
    E. Libster and J. Kornblum, A proposal for an integrated memory acquisition mechanism, ACM SIGOPS Operating Systems Review, vol. 42(3), pp. 14–20, 2008.CrossRefGoogle Scholar
  10. 10.
    K. Mandia, C. Prosise and M. Pepe, Incident Response and Computer Forensics, McGraw-Hill/Osborne, Emeryville, California, 2003.Google Scholar
  11. 11.
    Mandiant, Memoryze, Washington, DC (www.mandiant.com/software/memoryze.htm).Google Scholar
  12. 12.
    ManTech, Memory DD, Vienna, Virginia (cybersolutions.mantech.com/products.htm).Google Scholar
  13. 13.
    National Institite of Justice, Electronic Crime Scene Investigation: An On-the-Scene Reference for First Responders, U.S. Department of Justice, Washington, DC, 2009.Google Scholar
  14. 14.
    M. Russinovich, Sysinternals Suite, Microsoft Corporation, Redmond, Washington (technet.microsoft.com/en-us/sysinternals/bb842062.aspx).Google Scholar
  15. 15.
    M. Russinovich and D. Solomon, Microsoft Windows Internals, Microsoft Press, Redmond, Washington, 2005.Google Scholar
  16. 16.
    J. Rutkowska, Beyond the CPU: Defeating hardware-based RAM acquisition (Part I: AMD case), presented at the Black Hat DC 2007 Conference (www.first.org/conference/2007/papers/rutkowska-joa nna-slides.pdf), 2007.Google Scholar
  17. 17.
    A. Schuster, PTfinder (version 0.2.00), Bonn, Germany (computer.forensikblog.de/en/2006/03/ptfinder_0_2_00.html), 2006.Google Scholar
  18. 18.
    A. Schuster, Searching for processes and threads in Microsoft Windows memory dumps, Digital Investigation, vol. 3(S), pp. S10–S16, 2006.CrossRefGoogle Scholar
  19. 19.
    S. Shankland, Amazon suffers U.S. outage on Friday, CNET, San Francisco, California (news.cnet.com/8301-10784_3-9962010-7.html), June 6, 2008.Google Scholar
  20. 20.
    P. Silberman, FUTo, Uninformed, vol. 3 (www.uninformed.org/?v=3&a=7&t=sumry), January 2006.Google Scholar
  21. 21.
    SourceForge.net, Memparser (sourceforge.net/projects/memparser), 2006.Google Scholar
  22. 22.
    M. Suiche, Sandman Project (sandman.msuiche.net/docs/SandMan_Project.pdf), 2008.Google Scholar
  23. 23.
    M. Suiche, win32dd (win32dd.msuiche.net).Google Scholar
  24. 24.
    I. Sutherland, J. Evans, T. Tryfonas and A. Blyth, Acquiring volatile operating system data: Tools and techniques, ACM SIGOPS Operating Systems Review, vol. 42(3), pp. 65–73, 2008.CrossRefGoogle Scholar
  25. 25.
    A. Walters and N. Petroni, Volatools: Integrating volatile memory forensics into the digital investigation process, presented at Blackhat Hat DC 2007 Conference (www.blackhat.com/presentations/bh-dc-07/Walters/Paper/bh-dc-07-Walters-WP.pdf), 2007.Google Scholar

Copyright information

© International Federation for Information Processing 2010

Authors and Affiliations

  • James Okolica
    • 1
  • Gilbert Peterson
    • 1
  1. 1.Air Force Institute of TechnologyWright-Patterson Air Force BaseUSA

Personalised recommendations