Evaluating Atomicity, and Integrity of Correct Memory Acquisition Methods

Gruhn M, Freiling F (2016)

Publication Type: Journal article, Original article

Publication year: 2016

Journal

Digital Investigation Elsevier

Publisher: Elsevier

Edited Volumes: Digital Investigation

Book Volume: 16

Pages Range: 1-10

Conference Proceedings Title: Proceedings of the 3rd Annual DFRWS Europe Conference

Event location: Lausanne, Switzerland CH

URI: http://www.dfrws.org/2016eu/proceedings/DFRWS-EU-2016-1.pdf

DOI: 10.1016/j.diin.2016.01.003

Open Access Link: https://www.sciencedirect.com/science/article/pii/S1742287616000049

Abstract

With increased use of forensic memory analysis, the soundness of memory acquisition becomes more important. We therefore present a black box analysis technique in which memory contents are constantly changed via our payload application with a traceable access pattern. This way, given the correctness of a memory acquisition procedure, we can evaluate its atomicity and one aspect of integrity as defined by Vömel and Freiling (2012). We evaluated our approach on several memory acquisition techniques represented by 12 memory acquisition tools using a Windows 7 64-bit operating system running on a i5-2400 with 2 GiB RAM. We found user-mode memory acquisition software (ProcDump, Windows Task Manager), which suspend the process during memory acquisition, to provide perfect atomicity and integrity for snapshots of process memory. Cold-boot attacks (memimage, msramdump), virtualization (VirtualBox) and emulation (QEMU) all deliver perfect atomicity and integrity of full physical system memory snapshots. Kernel level software acquisition tools (FTK Imager, DumpIt, win64dd, WinPmem) exhibit memory smear from concurrent system activity reducing their atomicity. There integrity is reduced by running within the imaged memory space, hence overwriting part of the memory contents to be acquired. The least amount of atomicity is exhibited by a DMA attack (inception using IEEE 1394). Further, even if DMA is performed completely in hardware, integrity violations with respect to the point in time of the acquisition let this method appear inferior to all other methods. Our evaluation methodology is generalizable to examine further memory acquisition procedures on other operating systems and platforms.

Authors with CRIS profile

Michael Gruhn Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Felix Freiling Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)

How to cite

APA:

Gruhn, M., & Freiling, F. (2016). Evaluating Atomicity, and Integrity of Correct Memory Acquisition Methods. Digital Investigation, 16, 1-10. https://doi.org/10.1016/j.diin.2016.01.003

MLA:

Gruhn, Michael, and Felix Freiling. "Evaluating Atomicity, and Integrity of Correct Memory Acquisition Methods." Digital Investigation 16 (2016): 1-10.

BibTeX: Download