Skip to main content

Forensically Sound Retrieval and Recovery of Images from GPU Memory

Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST,volume 157)

Abstract

This paper adopts a method to retrieve graphic data stored in the global memory of an NVIDIA GPU. Experimentation shows that a 24-bit TIFF formatted graphic can be retrieved from the GPU in a forensically sound manner. However, like other types of Random Access Memory, acquired data cannot be verified due to the volatile nature of the GPU memory. In this work a Color Pattern Map Test is proposed to reveal the relationship between a graphic and its GPU memory organization. The mapping arrays derived from such testing can be used to visually restore graphics stored in the GPU memory. Described ‘photo tests’ and ‘redo tests’ demonstrate that it is possible to visually restore a graphic from the data stored in GPU memory. While initial results are promising, more work is still needed to determine if such methods of data acquisition within GPU memory can be considered forensically sound.

Keywords

  • GPU forensics
  • Graphic recovery
  • Volatile memory acquisition

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-25512-5_5
  • Chapter length: 14 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-25512-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   72.00
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.

References

  1. ACPO E-Crime Working Group: Good practice guide for computer-based electronic evidence. In: 7safe Information Security Website (2011)

    Google Scholar 

  2. Adelstein, F.: Live forensics: diagnosing your system without killing it first. Commun. ACM 49(2), 63–66 (2006)

    CrossRef  Google Scholar 

  3. Aljaedi, A., Lindskog, D., Zavarsky, P., Ruhl, R., Almari, F.: Comparative analysis of volatile memory forensics: live response vs. memory imaging. In: Privacy, Security, Risk and Trust (Passat) and 2011 IEEE Third International Conference on Social Computing (Socialcom), pp. 1253–1258. IEEE Press, New York (2011)

    Google Scholar 

  4. AMD. http://web.amd.com/assets/customerreferenceprogrampackage2012/CRP%20Oct%202013%20WinZip%20Case%20Study.pdf

  5. Bilby, D.: Low down and dirty: anti-forensic rootkits. In: Proceedings of Ruxcon (2006)

    Google Scholar 

  6. Breß, S., Kiltz, S., Schaler, M.: Forensics on GPU co-processing in databases research challenges, first experiments, and countermeasures. In: BTW Workshops (2013)

    Google Scholar 

  7. Campbell, W.: Volatile memory acquisition tools-a comparison across taint and correctness (2013). http://ro.ecu.edu.au/adf/115/

  8. Center, C.C.: Steps for Recovering from a Unix or NT system compromise. Technical report, Software Engineer Institute (2001)

    Google Scholar 

  9. Claricesimmons. http://community.amd.com/community/amd-blogs/amd/blog/2013/10/30/the-new-winzip-18-with-accelerated-performance-for-amd-apus-and-gpus

  10. Geeks3D. http://www.geeks3d.com/20111217/winzip-16-5-will-support-opencl-for-ultra-fast-compression-and-decompression/

  11. Hay, B., Bishop, M., Nance, K.: Live analysis: progress and challenges. Secur. Priv. 7(2), 30–37 (2009)

    CrossRef  Google Scholar 

  12. Jang, K., Han, S., Han, S., Moon, S.B., Park, K.: Sslshader: cheap SSL acceleration with commodity processors. In: Nsdi (2011)

    Google Scholar 

  13. Kent, K., Chevalier, S., Grance, T., Dang, H.: Guide to Integrating Forensic Techniques into Incident Response. NIST Special Publication, 800-86 (2006)

    Google Scholar 

  14. Lee, S., Kim, Y., Kim, J., Kim, J.: Stealing Webpages rendered on your browser by exploiting GPU vulnerabilities. In: 2014 IEEE Symposium on Security and Privacy, pp. 19–33. IEEE Press, New York (2014)

    Google Scholar 

  15. McKemmish, R.: When is digital evidence forensically sound? In: Ray, I., Shenoi, S., (eds.) Advances in Digital Forensics IV. Springer (2008)

    Google Scholar 

  16. NVIDIA. http://www.nvidia.com/object/what-is-gpu-computing.html#sthash.fYjRi2ZR.dpuf

  17. Palmer, G.: A road map for digital forensic research. In: First Digital Forensic Research Workshop, pp. 27–30, Utica, New York (2001)

    Google Scholar 

  18. Ring, S., Cole, E.: Volatile memory computer forensics to detect kernel level compromise. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 158–170. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  19. Service U.S. S.: Best practices for seizing electronic evidence (2007). http://www.treas.gov/usss/electronic_evidence.shtml

  20. Sutherland, I., Evans, J., Tryfonas, T., Blyth, A.: Acquiring volatile operating system data tools and techniques. ACM SIGOPS Operating Syst. Rev. 42(3), 65–73 (2008)

    CrossRef  Google Scholar 

  21. Urrea, J.M.: An analysis of Linux RAM forensics. Unpublished Doctoral Dissertation, Monterey, California, Naval Postgraduate School (2006)

    Google Scholar 

  22. Vasiliadis, G., Polychronakis, M., Ioannidis, S.: GPU-Assisted Malware. Int. J. Inf. Secur. 14(3), 289–297 (2010). http://dl.acm.org/citation.cfm?id=2777077

    CrossRef  Google Scholar 

  23. Wang, L., Zhang, R., Zhang, S.: A model of computer live forensics based on physical memory analysis. In: 2009 1st International Conference on Information Science and Engineering, pp. 4647–4649. IEEE Press, Nanjing (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Yulong Zhang .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Institute for Computer Sciences, Social informatics and Telecommunication Engineering

About this paper

Cite this paper

Zhang, Y., Yang, B., Rogers, M., Hansen, R.A. (2015). Forensically Sound Retrieval and Recovery of Images from GPU Memory. In: James, J., Breitinger, F. (eds) Digital Forensics and Cyber Crime. ICDF2C 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 157. Springer, Cham. https://doi.org/10.1007/978-3-319-25512-5_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25512-5_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25511-8

  • Online ISBN: 978-3-319-25512-5

  • eBook Packages: Computer ScienceComputer Science (R0)