BodySnatcher: Towards reliable volatile memory acquisition by software

DFRWS 2007 Annual Conference

Volumn , Issue , 2007, Pages

  Schatz, Bradley ^a  

^a Evimetry   (Australia)

Author keywords

Digital forensics; Memory acquisition; Memory imaging; Volatile memory forensics

Indexed keywords

DIGITAL EVIDENCE; DIGITAL FORENSIC; FULL CONTROL; PHYSICAL MEMORY; PROOF OF CONCEPT; ROOTKITS; VOLATILE MEMORY; WINDOWS 2000;

COMPUTER CRIME; ELECTRONIC CRIME COUNTERMEASURES;

TREES (MATHEMATICS);

EID: 84868380591     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1016/j.diin.2007.06.009     Document Type: Conference Paper

References (22)

1. Aloni D. Cooperative Linux. In: Linux symposium, Ottawa, CA, 2004.
2. Boileau A. Hit by a bus: physical access attacks with Firewire [cited April 2007]. Available from: 〈http://www.securityassessment.com/files/ presentations/ab-firewire-rux2k6-final.pdf〉; 2006.
3. Bilby D. Low down and dirty: anti-forensic rootkits [cited May 2007]. Available from: 〈https://www.blackhat.com/presentations/bh-jp-06/BH-JP-06- Bilby-up.pdf〉; 2006.
4. Becher M, Dornseif M, Klein CN. FireWire: all your memory are belong to us [cited April 2007]. Available from: 〈http://cansecwest.com/core05/2005- firewire-cansecwest.pdf〉; 2005.
5. Barham P, Dragovic B, Fraser K, Hand, S, Harris T, et al. Xen and the art of virtualization. In: ACM symposium on operating systems principles, Bolton Landing, NY; 2003.
6. Carrier BD, Grand J. A hardware-based memory acquisition procedure for digital investigations. J Digit Investig 2004;1(1).
7. Casey E. Practical approaches to recovering encrypted digital evidence. Int J Digit Evid 2002;1(3).
8. Carvey H. lsproc released [cited April 2007]. Available from: 〈http://windowsir.blogspot.com/2006/04/lsproc-released.html〉; 2006.
9. DFRWS.Memory analysis challenge [citedApril 2007].Available from: 〈http://www.dfrws.org/2005/challenge/index.html〉; 2005.
10. Drake C, Brown K. PANIC! UNIX system crash dump analysis handbook. Pearson Education; 1995.
11. Farmer D, Venema W. Forensic discovery. Addison Wesley Professional; 2004.
12. Garner GM. Forensic acquisition utilities [cited April 2007]. Available from: 〈http://users.erols.com/gmgarner/forensics〉;2006.
13. Goyal V, Biederman EW, Nellitheertha H. Kdump, a kexec-based kernel crash dumping mechanism. In: Linux symposium, Ottowa, CA, 2005.
14. Garner GM. Overview of kntlist analysis tool [cited April 2007]. Available from: 〈http://www.dfrws.org/2005/challenge/kntlist.html〉; 2005.
15. MicroSoft. Windows feature lets you generate a memory dump file by using the keyboard [cited April 2007]. Available from: 〈http://support.microsoft. com/?kbid=244139〉; 2007.
16. Petroni NL, et al. FATKit: a framework for the extraction and analysis of digital forensic data from volatile system memory. Digit Investig 2006;3(4).
17. Rutlowska J. Beyond the CPU: cheating hardware based RAM forensics [cited April 2007]. Available from: 〈http://invisiblethings.org/papers/cheating- hardware-memoryacquisition-updated.ppt〉; 2007.
18. Ring S, Cole E. Volatile memory computer forensics to detect kernel level compromise. In: Lecture notes in Computer Science; 2004. p. 158-70. (Pubitemid 39737137)
19. Schuster A. Searching for processes and threads in Microsoft Windows memory dumps. In: Digital forensics workshop (DFRWS), 2006.
20. Sparks S, Butler J. Shadow walker: raising the bar for Windows rootkit detection [cited 23 May 2007]. Available from: 〈http://www.phrack.org/ archives/63/p63-0x08-Raising-The-Bar-For-Windows-Rootkit-Detection.txt〉; 2005.
21. Vidstrom A. Memory dumping with NTSystemDebugControl [cited April 2007]. Available from: 〈http://ntsecurity.nu/onmymind/2007/2007-02-04.html〉; 2006a.
22. Vidstrom A. Forensic memory dumping intricacies - PhysicalMemory, DD, and caching issues [cited April 2007]. Available from: 〈http://ntsecurity.nu/ onmymind/2006/2006-06-01.html〉; 2006b.