Risks of live digital forensic analysis
Communications of the ACM - Next-generation cyber forensics
Next-generation digital forensics
Communications of the ACM - Next-generation cyber forensics
A proposal for an integrated memory acquisition mechanism
ACM SIGOPS Operating Systems Review
Acquiring volatile operating system data tools and techniques
ACM SIGOPS Operating Systems Review
Forensics examination of volatile system data using virtual introspection
ACM SIGOPS Operating Systems Review
Automated Windows Memory File Extraction for Cyber Forensics Investigation
Journal of Digital Forensic Practice
Lest we remember: cold boot attacks on encryption keys
SS'08 Proceedings of the 17th conference on Security symposium
Emulating emulation-resistant malware
Proceedings of the 1st ACM workshop on Virtual machine security
WISTP'08 Proceedings of the 2nd IFIP WG 11.2 international conference on Information security theory and practices: smart devices, convergence and next generation networks
HyperCheck: a hardware-assisted integrity monitor
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Attribution of malicious behavior
ICISS'10 Proceedings of the 6th international conference on Information systems security
vIOMMU: efficient IOMMU emulation
USENIXATC'11 Proceedings of the 2011 USENIX conference on USENIX annual technical conference
TRESOR runs encryption securely outside RAM
SEC'11 Proceedings of the 20th USENIX conference on Security
Investigating the PROCESS block for memory analysis
ACS'11 Proceedings of the 11th WSEAS international conference on Applied computer science
FACE: Automated digital evidence discovery and correlation
Digital Investigation: The International Journal of Digital Forensics & Incident Response
A survey of main memory acquisition and analysis techniques for the windows operating system
Digital Investigation: The International Journal of Digital Forensics & Incident Response
BodySnatcher: Towards reliable volatile memory acquisition by software
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Live memory forensics of mobile phones
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Using a software exploit to image RAM on an embedded system
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Persistent systems techniques in forensic acquisition of memory
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Extraction of forensically sensitive information from windows physical memory
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Searching for processes and threads in Microsoft Windows memory dumps
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Generalizing sources of live network evidence
Digital Investigation: The International Journal of Digital Forensics & Incident Response
When hardware meets software: a bulletproof solution to forensic memory acquisition
Proceedings of the 28th Annual Computer Security Applications Conference
| Hi-index | 0.00 |
The acquisition of volatile memory from a compromised computer is difficult to perform reliably because the acquisition procedure should not rely on untrusted code, such as the operating system or applications executing on top of it. In this paper, we present a procedure for acquiring volatile memory using a hardware expansion card that can copy memory to an external storage device. The card is installed into a PCI bus slot before an incident occurs and is disabled until a physical switch on the back of the system is pressed. The card cannot easily be detected by an attacker and the acquisition procedure does not rely on untrusted resources. We present general requirements for memory acquisition tools, our acquisition procedure, and the initial results of our hardware implementation of the procedure.