Memory Forensics Examines The Information Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Future work: there are a large number of forensic artifacts that reside in drivers or dynamic link libraries e.g; print spooler information, video driver information and clipboard contents. Applying this methodology discussed in the paper to extract these forensic artifacts would be very useful future work.

Discussion 18: As modern Windows operating systems aggressively cache file data in memory, a large part of the memory will be occupied by file data that is cached from the hard drive. Current forensic tools and techniques, however, do not take mapped-file information into account. This paper describes a method for recovering files mapped in memory and to link mapped- file information process data. It discusses three methods for recovering files from memory-

Allocated file-mapping structures - The running and hidden processes contain pointers to the VAD Root and Object Table. By going through the Object Table it is possibleto reconstruct private files; files that can only be accessed by the process that has mapped the file.

Unallocated file-mapping structures - it is possible that a Page Table is still present in memory after a Control Area has been overwritten, carving for Page Tables may be useful. Once the order of the pages has been reconstructed and the file extracted, it is sometimes possible to determine the file type by looking at header information.

Unidentified file pages - It is still possible that pages previously used for storing mapped- file data have no more structures pointing to them. The file data is still present in the page and can be identified by matching the MD5 hash of the data from the page with hashes of 4 K blocks from files on the hard drive.

Future work: It should be possible to add more versions of Windows. It may be possible to extend the tools to include the page file.

Discussion 19: this paper proposes an automated system to support the mobile phone’s live memory dynamic properties analysis on interactive based applications.

Figure 3 System Overview

Proposed system consists of the following components -

Message Script Generator (MSG)

UI/Application Exerciser Monkey

Chat Bot

Memory Acquisition Tool (memgrab)

Memory Dump Analyser (MDA)

The paper describes the experiments and present the results on identifying the memory region of a process where the message exchange can be observed, and investigating the cached data and the volatile evidence data persistency. The experiment results showed that the outgoing messages (from the phone) had a higher persistency than the incoming messages (to the phone).

Future work: The system will be used to study the acquisition of evidence in an actual communication scenario. The system will be ported to other mobile phone platforms.

Discussion 20: This paper analyzes the pool allocation mechanism of the Microsoft Windows operating system. It describes a test environment, which allows to obtain a time series of physical memory images and that allocations from the nonpaged pool are reused based on their size and a last in-first out schedule.

Environment - The experimentation environment was built upon the VMware Workstation 6.0.2 virtual machine monitor that allows the creation of a snapshot at any time and resulting .vmem file provides an image of the emulated physical memory.

Probe - A small program was created that recursively spawns itself for a specified number of instances. Every instance then records its instance number and process ID in a log file.

Experiments - A script for the Windows command processor was created. Such a script mainly contains invocations of the probe, whereas a suitable number of instances are passed as an option.

This paper reveals positives and negatives â€"

On positive side, forensic software that is expected to execute on the system under examination should use as little system resources as possible. It makes an instant connection to a suspect machine, examine its state and obtain a forensic image of the hard disk drive and the main memory. Agents will generally be installed prior to an incident and then run in the background.

On negative side, forensic agents need to execute code at the system privilege level and communicate over the network. So, a security vulnerability in the agent’s code could expose the monitored host to a remote compromise. In addition, a knowledgeable attacker may detect the agent and respond accordingly.

Future work: Further research is needed to fully understand the compaction strategy that is pursued by the pool manager. The experiment could be repeated under a continuous artificial load in

order to simulate real-world conditions.

Discussion 21: This paper describes an algorithm to locate paging structures in a memory image of an

_86 platform running either Linux or Windows XP that can be used to find potential processes that were hidden by rootkits or other malware. First pass of the algorithm searches the potential page directory for kernel mappings. Second pass of the algorithm inspects the potential page directory by looking at the userspace (0e767) entries.

Figure 4 Algorithm parameters for different OS

Page directory as detected by the algorithm, expected it to be one of the followings:

Present in the kernel’s copy of the task structure list

Consistent with the pattern of a terminated task, having only the kernel mappings and a pointer in entry 0

The master kernel Page Global Directory, also know as swapper_pg_dir (One instance per memory image found low in physical memory) (Bovet and Cesati, 2006)

If there are other page directories found by the algorithm that do not match one of those three groups, they are flagged as potentially malicious.

Limitations: Assumptions are made about when and how page tables are laid out in memory. The second limitation considered is that paging will be turned on and in use for all running processes.

Future work: hypervisor rootkits hides itself fromthe running instance of the operating system. Research about common hypervisor flag settings and number of expected page directory entries is left for future work.