memory forensics

Until the early 2000s, memory forensics was done on an ad hoc basis (termed unstructured analysis), often using generic data analysis tools like strings and grep.{{cite journal |doi=10.1016/j.diin.2016.12.004 |first1=Andrew |last1=Case |first2=Golden G. |last2=Richard III |journal=Digital Forensics |date=March 2017 |pages=23-33 |volume=20 |title=Memory forensics: The path forward}} These tools are not specifically created for memory forensics, and therefore are difficult to use.They also provide limited information. In general, their primary usage is to extract text from the memory dump.{{cite book |author1=Dan Farmer |author2=Wietse Venema |title=Forensic Discovery |chapter-url=http://www.porcupine.org/forensics/forensic-discovery/chapter8.html |chapter= Chapter 8: Beyond Processes |url=http://www.porcupine.org/forensics/forensic-discovery/}}

Many operating systems provide features to kernel developers and end-users to actually create a snapshot of the physical memory for either debugging (e.g. core dump or Blue Screen of Death) purposes or experience enhancement (e.g. hibernation). In the case of Microsoft Windows, crash dumps and hibernation had been present since Microsoft Windows NT. Microsoft crash dumps had always been analyzable by Microsoft WinDbg, and Windows hibernation files (hiberfil.sys) are nowadays convertible in Microsoft crash dumps using utilities like MoonSols Windows Memory Toolkit designed by Matthieu Suiche.{{Citation needed|date=May 2023}}

One significant step towards structured analysis was in a February 2004 article in SysAdmin Magazine, where Michael Ford demonstrated a more rigorous practice of memory forensics.{{cite web |last=Ford |first=Michael |date=2004 |url=http://www.drdobbs.com/linux-memory-forensics/199101801 |title=Linux Memory Forensics |publisher=SysAdmin Magazine}} In that article, he analyzes a memory based rootkit utilizing the existing Linux crash utility as well as two tools developed specifically to recover and analyze the memory forensically, memget and mempeek.{{Citation needed|date=May 2023}}

In 2005, DFRWS issued a Memory Analysis Forensics Challenge.{{cite web |archive-url=https://web.archive.org/web/20061007145847/http://www.dfrws.org/2005/challenge/ |url=http://www.dfrws.org/2005/challenge/ |archive-date=7 Oct 2006 |title=DFRWS 2005 Forensics Challenge}} In response to this challenge, more tools in this generation, specifically designed to analyze memory dumps, were created - such as MoonSols, KntTools, the FATKit, VolaTools, and Volatility. These tools had knowledge of the operating system's internal data structures, and were thus capable of reconstructing the operating system's process list and process information.

Although intended as research tools, they proved that operating system level memory forensics is possible and practical.

Subsequently, several memory forensics tools were developed intended for practical use. These include both commercial tools like Responder PRO, Memoryze, winen, Belkasoft Live RAM Capturer, etc.. New features have been added, such as analysis of Linux and Mac OS X memory dumps, and substantial academic research has been carried out.{{cite journal |doi=10.1016/j.diin.2006.10.001 |last1=Petroni |first1=N. L. |last2=Walters |first2=A. |last3=Fraser |first3=T. |last4=Arbaugh |first4=W. A. |date=2006 |title= FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory |journal=Digital Investigation |volume=3 |issue=4 |pages=197-210}}{{cite journal |last1=Inoue |first1=H. |last2=Adelstein |first2=F. |last3=Joyce |first3=R. A. |date=2011 |doi=10.1016/j.diin.2011.05.006 |title=Visualization in testing a volatile memory forensic tool |journal=Digital Investigation |volume=8 |issue=Supplement |pages=S42-S51|doi-access=free }}

Unlike Microsoft Windows, Mac OS X interest is relatively new and had only been initiated by Matthieu Suiche{{cite web |author=Matthieu Suiche |publisher=Black Hat Briefings |location=DC |date=February 2010 |url=https://www.blackhat.com/presentations/bh-dc-10/Suiche_Matthieu/Blackhat-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-slides.pdf |title=Advanced Mac OS X Physical Memory Analysis}} in 2010 during Black Hat Briefings security conference.{{Citation needed|date=May 2023}}

Currently, memory forensics is a standard component of incident response.

Beginning 2010, more utilities focused on the visualization aspect of memory analysis, such as MoonSols LiveCloudKd presented{{cite conference |author=Matthieu Suiche |conference=Microsoft Blue Hat Hacker Conference |date=Fall 2010 |url=https://technet.microsoft.com/en-us/security/ff967505.aspx |archive-url=https://web.archive.org/web/20101020174633/https://technet.microsoft.com/en-us/security/ff967505.aspx |archive-date=20 Oct 2010 |title=BlueHat Security Briefings: Fall 2010 Sessions}}{{cn|date=July 2024|reason=other source is just a listing of talks}} by Matthieu Suiche at Microsoft BlueHat Security Briefings that inspired{{cite web |url=http://blogs.technet.com/b/markrussinovich/archive/2010/10/14/3360991.aspx |archive-url=https://web.archive.org/web/20101018201303/http://blogs.technet.com/b/markrussinovich/archive/2010/10/14/3360991.aspx |archive-date=18 Oct 2010 |title=LiveKd for Virtual Machines Debugging |author=Mark Russinovich}} a new feature in Microsoft LiveKd written by Mark Russinovich{{Cite web|url=https://technet.microsoft.com/en-us/sysinternals/livekd.aspx |title=LiveKd v5.63 |author1= Mark Russinovich |author2=Ken Johnson |date=23 Mar 2021}} to allow virtual machines introspection by accessing the memory of guest virtual machine from the host virtual machine in order to either analyze them directly with the assistance of Microsoft WinDbg or to acquire a memory dump in a Microsoft crash dump file format.{{Citation needed|date=May 2023}}

• Computer forensics
• Data breach
• Data erasure
• Data loss
• Data recovery
• Data remanence
• Data sanitization
• Digital forensics
• File carving

{{Reflist}}

• [https://volatilityfoundation.org/volatility-timeline The History of Memory Forensics & The Volatility Framework]

Category:Computer forensics