Browse > Article
http://dx.doi.org/10.13089/JKIISC.2011.21.2.71

The Windows Physical Memory Dump Explorer for Live Forensics  

Han, Ji-Sung (Digital Forensic Research Center, Korea University)
Lee, Sang-Jin (Digital Forensic Research Center, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.21, no.2, 2011 , pp. 71-82 More about this Journal
Abstract
Live data in physical memory can be acquired by live forensics but not by harddisk file-system analysis. Therefore, in case of forensic investigation, live forensics is widely used these days. But, existing live forensic methods, that use command line tools in live system, have many weaknesses; for instance, it is not easy to re-analyze and results can be modified by malicious code. For these reasons, in this paper we explain the Windows kernel architecture and how to analyze physical memory dump files to complement weaknesses of traditional live forensics. And then, we design and implement the Physical Memory Dump Explorer, and prove the effectiveness of our tool through test results.
Keywords
digital forensics; live forensics; live data; physical memory; windows memory analysis; kernel objects;
Citations & Related Records
연도 인용수 순위
  • Reference
1 B. D. Carrier and J. Grand, "A hardwarebased memory acquisition procedure for digital investigations," Digital Investigation, Vol. 1, No. 1, pp. 50-60, 2004.   DOI   ScienceOn
2 MemParser, C. Betz, http://memparser. sourceforge.net/
3 PtFinder, A. Schuster, http://computer. forensikblog.de/files/ptfinder/
4 Volatility, Volatile Systems, https:// www.volatilesystems.com/default/volat ility
5 M.E. Russinovich and D.A. Solomon, Windows Internals, 5th Edition, Microsoft Press, June 2009.
6 S.M. Hejazia, C. Talhia and M. Debbabi, "Extraction of forensically sensitive information from windows physical memory," Digital Investigation, Vol. 6, Supplement 1, pp. S121-S131, September 2009.   DOI
7 R. Jones, "Safer Live Forensic Acquisition," University of Kent at Canterbury, http://www.cs.kent.ac.uk/pubs/ug/200 7/co620-projects/forensic/report.pdf
8 E. Kenneally, and C. Brown, "Risk Sensitive Digital Evidence Collection," Digital Investigation, Vol. 2, Issue 2, pp. 101-119, June 2005.   DOI
9 I. Sutherland, J. Evans, T. Tryfonas, and A. Blyth, "Acquiring Volatile Operating System Data Tools and Techniques," ACM SIGOPS Operating Systems Review, Vol. 42, Issue 3, pp. 65-73, April 2008.   DOI
10 M. Monty, "Live Forensics on a Windows System: Using Windows Forensic Toolchest," Jun 2006. http://www.foolmoon. net/security
11 B. Carrier, J. Grand, "A Hardware-based Memory Acquisition Procedure for Digital Investigations," Digital Investigation, Vol. 1, Issue 1, pp. 50-60, February 2004.   DOI   ScienceOn
12 A. Boileau, "Hit By A Bus: Physical Access Attacks with Firewire.," RUXCON, Sydney, Australia, September 30-October 1, 2006.
13 Mantech's Memory DD, Mantech, http: //www.mantech.com/
14 MoonSols Windows Memory Toolkit, MoonSols, http://moonsols.com/component/ jdownloads/view.download/3/2
15 D. Aumaitre, "A Little Journey inside Windows Memory," Journal in Computer Virology, Vol. 5, No. 2, pp. 105-177, January 2009.   DOI   ScienceOn
16 Advanced Archive Password Recovery, Elcomsoft, http://www.elcomsoft.com/ archpr.html
17 M. Burdach. "Finding digital evidence in physical memory," http://forensic.seccure. net/pdf/mburdach physical memory forensics bh06.pdf, 2006.
18 A. Schuster, "The impact of Microsoft Windows pool allocation strategies on memory forensics," The Proceedings of the Eighth Annual DFRWS Conference, Vol. 5, Supplement 1, pp. S58-S64, September 2008.
19 S. Lee, A. Savoldi, S. Lee, and J. Lim, "Password Recovery Using an Evidence Collection Tool and Countermeasures," Intelligent Information Hiding and Multimedia Signal Processing, Vol. 2, pp. 97-102, November 2007.
20 R. Zhang, L. Wang, and S. Zhang, "Windows Memory Analysis Based on KPCR," Proceedings of the 2009 Fifth International Conference on Information Assurance and Security, Vol. 2, pp. 677- 680, August 2009.
21 A. Schuster, "Searching for processes and threads in Microsoft Windows memory dumps," Digital Investigation, Vol. 3, Supplement 1, pp. 10-16, September 2006.   DOI
22 B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin, "Robust Signatures for Kernel Data Structures," Proceedings of the 16th ACM conference on Computer and communications security, pp. 566- 577. 2009.
23 B. Blunden, The Rootkit Arsenal : Escape and Evasion in the Dark Corners of the System, Jones & Bartlett Publishers, May 2009.
24 ProcessLibrary.com, Uniblue, http://www. processlibrary.com/
25 FU Rootkit, http://rootkit.com/board_ project_fused.php?did=proj12
26 H. Carvey, Windows Forensic Analysis DVD Toolkit, Second Edition, Syngress, June 2009
27 A. Walters, "FATKit: Detecting Malicious Library Injection and Upping the "Anti"", July 2006.