A proposal for an integrated memory acquisition mechanism

Authors:
Eugene Libster;Jesse D. Kornblum
Affiliations:
ManTech International Corporation, Columbia, MD;ManTech International Corporation, Columbia, MD
Venue:
ACM SIGOPS Operating Systems Review
Year:
2008

Citing 8
Cited 5

On the effectiveness of address-space randomization

Proceedings of the 11th ACM conference on Computer and communications security
Rootkits: Subverting the Windows Kernel

Rootkits: Subverting the Windows Kernel
Mac OS X Internals

Mac OS X Internals
Windows Forensic Analysis DVD Toolkit

Windows Forensic Analysis DVD Toolkit
Using every part of the buffalo in Windows memory analysis

Digital Investigation: The International Journal of Digital Forensics & Incident Response
FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Searching for processes and threads in Microsoft Windows memory dumps

Digital Investigation: The International Journal of Digital Forensics & Incident Response
A hardware-based memory acquisition procedure for digital investigations

Digital Investigation: The International Journal of Digital Forensics & Incident Response

Automated Windows Memory File Extraction for Cyber Forensics Investigation

Journal of Digital Forensic Practice
Investigating the PROCESS block for memory analysis

ACS'11 Proceedings of the 11th WSEAS international conference on Applied computer science
A survey of main memory acquisition and analysis techniques for the windows operating system

Digital Investigation: The International Journal of Digital Forensics & Incident Response
A partially reconstructed previous Gmail session by live digital evidences investigation through volatile data acquisition

Security and Communication Networks
When hardware meets software: a bulletproof solution to forensic memory acquisition

Proceedings of the 28th Annual Computer Security Applications Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

Volatile memory forensics has become increasingly prominent in forensic analysis and incident response. Unfortunately there is currently no forensically sound method of acquiring an image of a system's memory without attaching specialized hardware. This paper proposes the addition of a memory acquisition mechanism to the operating system, thereby removing the need to load an external program. The method minimizes the acquisition's impact on the system's state, as well as making it more difficult for malicious programs to avoid detection or interfere with the memory dump. The risks of allowing a full memory capture and some considerations on how this method would interact with rootkits are also discussed.