Robust bootstrapping memory analysis against anti-forensics

Memory analysis is increasingly used to collect digital evidence in incident response. With the fast growth in memory analysis, however, anti-forensic techniques appear to prevent it from performing the bootstrapping steps - operating system (OS) fingerprinting, Directory Table Base (DTB) identification, and obtaining kernel objects. Although most published research works try to solve anti forensics, they deal only with one element among the three steps. Thus, collapse in any of the three steps using the suggested robust algorithms leads to failure in the memory analysis. In this paper, we evaluate the latest memory forensic tools against anti-forensics. Then, we suggest a novel robust algorithm that guarantees the bootstrapping analysis steps. It uses only one kernel data structure called KiInitialPCR, which is a kernel global variable based on the kernel processor control region (KPCR) structure and has many fields with tolerance to mutation. We characterize the robust fields of the KPCR structure to use them for OS fingerprinting, DTB identification, and obtaining kernel objects. Then, we implement the KiInitialPCR-based analysis system. Therefore, we can analyze the compromised memory in spite of the interference of anti-forensics.

[1]  S. Dija,et al.  Extraction of memory forensic artifacts from windows 7 RAM image , 2013, 2013 IEEE CONFERENCE ON INFORMATION AND COMMUNICATION TECHNOLOGIES.

[2]  Michael I. Cohen,et al.  Characterization of the windows kernel version variability for accurate memory analysis , 2015, Digit. Investig..

[3]  Heng Yin,et al.  Manipulating semantic values in kernel data structures: Attack assessments and implications , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[4]  Sasa Mrdovic,et al.  Forensic analysis of encrypted volumes using hibernation file , 2011, 2011 19thTelecommunications Forum (TELFOR) Proceedings of Papers.

[5]  Heng Yin,et al.  MACE: high-coverage and robust memory analysis for commodity operating systems , 2014, ACSAC '14.

[6]  Lianhai Wang,et al.  Exploratory study on memory analysis of Windows 7 operating system , 2010, 2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE).

[7]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.

[8]  Ryan Harris,et al.  Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem , 2006, Digit. Investig..

[9]  Michael Cohen,et al.  Anti-forensic resilient memory acquisition , 2013 .

[10]  Lianhai Wang,et al.  Windows Memory Analysis Based on KPCR , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[11]  Funminiyi Olajide,et al.  Digital forensic research — The analysis of user input on volatile memory of Windows application , 2012, World Congress on Internet Security (WorldCIS-2012).

[12]  Vassil Roussev,et al.  Image-based kernel fingerprinting , 2014, Digit. Investig..

[13]  Xuxian Jiang,et al.  SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures , 2011, NDSS.

[14]  Heng Yin,et al.  OS-Sommelier: memory-only operating system fingerprinting in the cloud , 2012, SoCC '12.