Home Publications Research Grants Inventions & Patents Awards Additional Research Activities Faculties & Institutions Research Areas

As if Time Had Stopped – Checking Memory Dumps for Quasi-Instantaneous Consistency

Ottmann J, Cengiz Ü, Breitinger F, Freiling F (2023)

---

Publication Language: English

Publication Type: Conference contribution, Conference Contribution

Publication year: 2023

Conference Proceedings Title: Proceedings of the Digital Forensics Research Conference USA (DFRWS USA) 2023

Event location: Baltimore, MD

Abstract

Memory dumps that are acquired while the system is running often contain inconsistencies like page smearing which hamper the analysis. One possibility to avoid inconsistencies is to pause the system during the acquisition and take an instantaneous memory dump. While this is possible for virtual machines, most systems cannot be frozen and thus the ideal dump can only be quasi-instantaneous, i.e., consistent despite the system running. In this article, we introduce a method allowing us to measure quasi-instantaneous consistency and show both, theoretically, and practically, that our method is valid but that in reality, dumps can be but usually are not quasi-instantaneously consistent. For the assessment, we run a pivot program enabling the evaluation of quasi-instantaneous consistency for its heap and allowing us to pinpoint where exactly inconsistencies occurred.

Authors with CRIS profile

Related research project(s)

Involved external institutions

How to cite

APA:

Ottmann, J., Cengiz, Ü., Breitinger, F., & Freiling, F. (2023). As if Time Had Stopped – Checking Memory Dumps for Quasi-Instantaneous Consistency. In Proceedings of the Digital Forensics Research Conference USA (DFRWS USA) 2023. Baltimore, MD.

MLA:

Ottmann, Jenny, et al. "As if Time Had Stopped – Checking Memory Dumps for Quasi-Instantaneous Consistency." Proceedings of the Digital Forensics Research Conference USA (DFRWS USA) 2023, Baltimore, MD 2023.

BibTeX: Download