Providing a Foundation for Analysis of Volatile Data Stores
Abstract
Current threats against typical computer systems demonstrate a need for
forensic analysis of memory-resident data in addition to the conventional static
analysis common today. Certain attacks and types of malware exist solely in
memory and leave little or no evidentiary information on nonvolatile stores
such as a hard disk drive. The desire to preserve system state at the time of
response may even warrant memory acquisition independent of perceived
threats and the ability to analyze the acquired duplicate.
Tools capable of duplicating various types of volatile data stores are becoming
widely available. Once the data store has been duplicated, current forensic
procedures have no method for extrapolating further useful information from
the duplicate. This paper is focused on providing the groundwork for
performing forensic investigations on the data that is typically stored in a
volatile data store, such as system RAM.
It is intended that, when combined with good acquisition techniques, it will be
shown that it is possible to obtain more post incident response information
along with less impact to potential evidence when compared to typical incident
response procedures.
Description
Some related preliminary work was previously presented at the Third Annual
IFIP WG 11.9 International Conference on Digital Forensics in Orlando, FL on
January 28-31, 2007.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.Collections
Related items
Showing items related by title, author, creator and subject.
-
An analysis of Linux RAM forensics
Urrea, Jorge Mario. (Monterey, California. Naval Postgraduate School, 2006-03);During a forensic investigation of a computer system, the ability to retrieve volatile information can be of critical importance. The contents of RAM could reveal malicious code running on the system that has been deleted ... -
Forensic analysis of Window's® virtual memory incorporating the system's page-file
Stimson, Jared M. (Monterey, California. Naval Postgraduate School, 2008-12);Computer Forensics is concerned with the use of computer investigation and analysis techniques in order to collect evidence suitable for presentation in court. The examination of volatile memory is a relatively new but ... -
Forensic analysis of Windows' virtual memory incorporating the system's page-file
Stimson, Jared M. (Monterey, California. Naval Postgraduate School, 2008-12);Computer Forensics is concerned with the use of computer investigation and analysis techniques in order to collect evidence suitable for presentation in court. The examination of volatile memory is a relatively new but ...