An analysis of Linux RAM forensics
Urrea, Jorge Mario.
Eagle, Christopher S.
MetadataShow full item record
During a forensic investigation of a computer system, the ability to retrieve volatile information can be of critical importance. The contents of RAM could reveal malicious code running on the system that has been deleted from the hard drive or, better yet, that was never resident on the hard drive at all. RAM can also provide the programs most recently run and files most recently opened in the system. However, due to the nature of modern operating systems, these programs and files are not typically stored contiguously-which makes most retrieval efforts of files larger than one page size futile. To date, analysis of RAM images has been largely restricted to searching for ASCII string content, which typically only yields text information such as document fragments, passwords or scripts. This thesis explores the memory management structures in a SUSE Linux system (kernel version 2.6.13-15) to make sense out of the chaos in RAM and facilitate the retrieval of files/programs larger than one page size. The analysis includes methods for incorporating swap space information for files that may not reside completely within physical memory. The results of this thesis will become the basis of later research efforts in RAM forensics. This includes the creation of tools that will provide forensic analysts with a clear map of what is resident in the volatile memory of a system.
Showing items related by title, author, creator and subject.
Bulbul, Zeki Bulent (Monterey, California: Naval Postgraduate School, 1993-06);This thesis introduces and describes a software tool called Mushroom which automates the analysis of network protocols specified by the Systems of Communicating Machines (SCM) and the Communicating Finite State Machines ...
Naval Postgraduate School Center for Homeland Defense and Security (CHDS) (Monterey, California. Naval Postgraduate SchoolCenter for Homeland Defense and Security, 2006-10);October 2006. Welcome to Volume 2, Issue Three of Homeland Security Affairs. This issue is dedicated to the memory of Lacy Suiter. I believe Lacy would be embarrassed by the idea of dedicating an issue of anything to him. ...
Memory Corruption Mitigations and Their Implementation Progress in Third-Party Windows Applications Cevik, Serbulent (Monterey, California. Naval Postgraduate School, 2012-09);It has been more than two decades since the first practical implementation of a memory corruption attack. Despite the fact that there has been much research done on efficiently protecting systems from this type of attack, ...