A proposal for an integrated memory acquisition mechanism

Operating Systems Review (ACM)

Volumn 42, Issue 3, 2008, Pages 14-20

  Libster, Eugene ^a   Kornblum, Jesse D ^a  

^a ManTech International Corporation   (United States)

Author keywords

Memory acquisition; Memory analysis; Memory capture; Operating systems

Indexed keywords

FORENSIC ANALYSIS; INCIDENT RESPONSE; MEMORY ANALYSIS; OPERATING SYSTEMS; ROOTKITS; SPECIALIZED HARDWARE; VOLATILE MEMORY;

COMPUTER OPERATING SYSTEMS;

EID: 57849133518     PISSN: 01635980     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1368506.1368510     Document Type: Conference Paper

References (42)

1. Becher, M., Dorsneif, M., and Klein, C.N., FireWire: all your memory are belong to us, CanSecWest, Vancouver, BC, Canada, 2005.
2. Bilby, Darren, DDefyM - Memory Antiforensics Rootkit. http://www.neo.co.nz/projects.html.
3. Bilby, Darren. Low down and dirty: Anti-forensic rootkits. In Proceedings of Ruxcon 2006. Security-Assessment.com, 2006.
4. Boileau, Adam, Hit by a Bus: Physical Access Attack with Firewire, Ruxcon, University of Technology Sydney, Australia, 2006.
5. Butler, Jamie, and Sparks, Sherry, "Shadow Walker" Raising the Bar for Rootkit Detection, BlackHat, Las Vegas, NV, USA, 2005. http://www.blackhat.com/presentations/bhjp-05/bh-jp-05-sparks-butler.pdf
6. Carrier, B.D. And Grand, J., A Hardware-Based Memory Acquisition Procedure for Digital Investigations, Digital Investigation, 1(1):50-60, 2004. http://www.grandideastudio.com/files/security/tribble/tribble-memory- acquisition.pdf.
7. Carvey, Harlan. Windows Forensic Analysis. Syngress, Burlington, MA, 2007.
8. Combs, Gerald. Wireshark, 2007. http://www.wireshark.org
9. Digital Forensic Research Workshop 2007 File Carving Challenge. http://dfrws.org/2007/challenge/
10. Digital Forensic Research Workshop 2008 Memory Analysis Challenge. http://www.dfrws.org/2008/challenge/
11. Feldman, Mark, RealMem Memory Mode, http://www.nondot.org/sabre/os/files/ ProtectedMode/realmem.txt. Downloaded January 24, 2008.
12. Florio, Elia, When Malware Meets Rootkits, Virus Bulletin, 2005. http://www.virusbtn.com/virusbulletin/archive/2005/12/vb20 0512-malware-meets- rootkits.dkb
13. Free Software Foundation. GNU core utilities, 6.9 edition, 2007. http://www.gnu.org/software/coreutils/
14. Garfinkel, Simson and Basis Technology Corp., AFF: The Advanced Forensic Format, 2007. http://www.afflib.org/
15. GMER, Stealth MBR rootkit, 2008. http://www2.gmer.net/mbr/
16. GMG Systems Incorporated. Forensic Acquisition Utilities, 2007. http://www.gmgsystemsinc.com/fau/.
17. GMG Systems Incorporated. KnTTools with KnTList, 2007. http://www.gmgsystemsinc.com/knttools/.
18. GNU. NetCat, 2008. http://netcat.sourceforge.net/
19. Hinton, G., Sager, D., Upton, M., Boggs, D., Carmean, D., Kyker, A., Roussel, P., The Microarchitecture of the Pentium 4 Processor, Intel Technology Journal, 2001. http://www.intel.com/technology/itj/q12001/pdf/art-2.pdf
20. Hoglund, Greg & Butler, James, Rootkits: Subverting the Windows Kernel, Addison-Wesley, Boston, 2006.
21. Holy Father. Hacker Defender, 2005. http://www.megasecurity.org/trojans/ h/hackerdefender/Hackerdefender1.00r.html
22. Howard, Michael, Address Space Layout Randomization in Windows Vista. Microsoft Corporation, May 2006, http://blogs.msdn.com/michael-howard/archive/ 2006/05/26/address-space-layout-randomization-in-windows-vista.aspx
23. Intel Corporation, Execute Disable Bit Functionality Blocks Malware Code Execution, 2007. http://cache-www.intel.com/cd/00/00/14/93/149307-149307.pdf
24. Kornblum, Jesse D., Using Every Part of the Buffalo in Windows Memory Analysis. Digital Investigation, 4(1):24-29, 2007. http://dx.doi.org/10.1016/j. diin.2006.12.002
25. Microsoft Corporation, Device\PhysicalMemory Object, 2007. http://technet2.microsoft.com/windowsserver/en/library/e0f862a3-cf16-4a48-bea5- f2004d12ce351033.mspx
26. Microsoft, Inside the Windows Vista Kernel: Part 3, Microsoft TechNet Magazine, April 2007. http://www.microsoft.com/technet/technetmag/issues/2007/ 04/VistaKernel/
27. Microsoft, Windows feature lets you generate a memory dump file by using the keyboard, 2007, http://support.microsoft.com/kb/244139/en-us
28. Permeh, Ryan, & Soeder, Derek, eEye BootRoot, BlackHat, Las Vegas, NV, USA, 2005.
29. Petroni, J.N.L., Walters, A., Fraser, T., and Arbaugh, W.A., FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory, Digital Investigation, 3 (2006), pp.197-210.
30. Rodream, One Possible Way to Avoid UAC in Windows Vista, 2007. http://www.rootkit.com/newsread.php?newsid=773
31. th Edition, Microsoft Press, Redmond, 2005.
32. Russinovich, M.E., Inside Native Applications, Microsoft TechNet, 2006. http://technet.microsoft.com/enus/sysinternals/bb897447.aspx
33. Rutkowska, Joanna, Beyond The CPU: Defeating Hardware Based RAM Acquisition (part 1: AMD case), Black Hat DC, Washington DC, USA, 2007. http://www.invisiblethings.org/papers/cheating-hardware-memory-acquisition- updated.ppt
34. Schuster, Andreas. Reconstructing a Binary (1). Personal weblog, 2006. http://computer.forensikblog.de/en/2006/04/reconstructing-a-binary.html
35. Schuster, Andreas. Searching for processes and threads in microsoft windows memory dumps. Digital Investigation, 3(S):10-16, August 2006. http://dfrws.org/2006/proceedings/2-Schuster.pdf.
36. th ACM conference on Computer and communications security, pp. 298-307, Washington DC, USA, 2004. http://portal.acm.org/citation.cfm?id=1030124&dl=ACM&coll=&CFID= 15151515&CFTOKEN=6184618
37. Silberman, Peter & C.H.A.O.S., futo, 2007. http://www.uninformed.org/ ?v=3&a=7&t=sumry
38. Singh, Amit, Mac OS X Internals: A Systems Approach, Addison Wesley Professional, 2006.
39. Trusted Computing Group. Trusted Platform Module Specifications, 2007. https://www.trustedcomputinggroup.org/specs/TPM/
40. Vidstrom, Arne, Memory dumping over FireWire - UMA issues, 2007. http://www.ntsecurity.nu/onmymind/2006/2006-09-02.html
41. Volatile Systems. Volatility Framework, 2007. http://www.volatilesystems. com/VolatileWeb/volatility.gsp
42. Zeichick, Alan, Security Ahoy! Flying the NX Flag on Windows and AMD64 To Stop Attacks, AMD Developer Central, 2007. http://developer.amd.com/ TechnicalArticles/Articles/Pages/3312005143.aspx