Abstract
This research presents a software-based computer forensics method capable of recovering and storing digital evidence from volatile memory without corrupting the hard drive. Acquisition of volatile memory is difficult because it must be transferred onto non-volatile memory prior to disrupting power. If this data is transferred onto the hard drive of the compromised computer it could destroy critical evidence. This research will enhance investigations by allowing the inclusion of hidden processes, kernel modules, and kernel modifications present only in memory that may have otherwise been neglected. This methodology can be applied to any operating system and has been proven through implementation on Linux.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
EnCase Enterprise Edition, Detailed Product Description (November 2003), http://www.guidancesoftware.com/corporate/whitepapers/downloads/encase416.pdf
Steps for Recovering from a UNIX or NT System Compromise. Technical Report, CERT Coordination Center (April 2000), http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
United States Secret Service: Best Practices for Seizing Electronic Evidence, http://www.treas.gov/usss/electronic_evidence.shtml
United States Supreme Court. Daubert v. Merrell Dow Pharmaceuticals Syllabus (June 28, 1993)
Carrier, B., Grand, J.: A Hardware-Based Memory Acquisition Procedure for Digital Investigations. Digital Investigation 1(1), 50–60 (2004)
Prosise, C., Mandia, K., Pepe, M.: Incident Response and Computer Forensics, 2nd edn. McGraw- Hill Osborne Media, New York (2003)
Ring, S., Cole, E.: Detecting and Dealing with New Rootkits. Sys. Admin. Magazine, 28–33 (August 2003)
Ring, S., Cole, E.: Taking a Lesson from Stealthy Rootkits. IEEE Security & Privacy 2(4), 38–45 (2004)
Rose., C.: Windows Live Incident Response Volatile Data Collection: Non-disruptive User and System Memory Forensics Analysis, http://www.sytexif.com/whitepaper.htm
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ring, S., Cole, E. (2004). Volatile Memory Computer Forensics to Detect Kernel Level Compromise. In: Lopez, J., Qing, S., Okamoto, E. (eds) Information and Communications Security. ICICS 2004. Lecture Notes in Computer Science, vol 3269. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30191-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-540-30191-2_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23563-7
Online ISBN: 978-3-540-30191-2
eBook Packages: Springer Book Archive