Anti-forensic resilient memory acquisition

Memory analysis has gained popularity in recent years proving to be an effective technique for uncovering malware in compromised computer systems. The process of memory acquisition presents unique evidentiary challenges since many acquisition techniques require code to be run on a potential compromised system, presenting an avenue for anti-forensic subversion. In this paper, we examine a number of simple anti-forensic techniques and test a representative sample of current commercial and free memory acquisition tools. We find that current tools are not resilient to very simple anti-forensic measures. We present a novel memory acquisition technique, based on direct page table manipulation and PCI hardware introspection, without relying on operating system facilities - making it more difficult to subvert. We then evaluate this technique's further vulnerability to subversion by considering more advanced anti-forensic attacks.

[1]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[2]  Felix C. Freiling,et al.  Anti-forensics: The Next Step in Digital Forensics Tool Testing , 2013, 2013 Seventh International Conference on IT Security Incident Management and IT Forensics.

[3]  Felix C. Freiling,et al.  A survey of main memory acquisition and analysis techniques for the windows operating system , 2011, Digit. Investig..

[4]  Lorenzo Martignoni,et al.  Live and Trustworthy Forensic Analysis of Commodity Production Systems , 2010, RAID.

[5]  Joe Grand,et al.  A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..

[6]  Germano Caronni,et al.  Distributed forensics and incident response in the enterprise , 2011 .

[7]  Ryan Harris,et al.  Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem , 2006, Digit. Investig..

[8]  Jiang Wang,et al.  Firmware-assisted Memory Acquisition and Analysis tools for Digital Forensics , 2011, 2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering.

[9]  Henry L. Owen,et al.  Towards self-healing systems: re-establishing trust in compromised systems , 2006 .

[10]  Bradley L. Schatz,et al.  BodySnatcher: Towards reliable volatile memory acquisition by software , 2007, Digit. Investig..

[11]  Felix C. Freiling,et al.  Correctness, atomicity, and integrity: Defining criteria for forensically-sound memory acquisition , 2012, Digit. Investig..

[12]  Miao Yu,et al.  Vis: virtualization enhanced live acquisition for native system , 2011, APSys.

[13]  Frank Adelstein,et al.  Visualization in testing a volatile memory forensic tool , 2011, Digit. Investig..