Skip to main content
SpringerLink
Log in

Volatile Memory Computer Forensics to Detect Kernel Level Compromise

  • Conference paper
Book cover Information and Communications Security (ICICS 2004)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3269))

Included in the following conference series:

Abstract

This research presents a software-based computer forensics method capable of recovering and storing digital evidence from volatile memory without corrupting the hard drive. Acquisition of volatile memory is difficult because it must be transferred onto non-volatile memory prior to disrupting power. If this data is transferred onto the hard drive of the compromised computer it could destroy critical evidence. This research will enhance investigations by allowing the inclusion of hidden processes, kernel modules, and kernel modifications present only in memory that may have otherwise been neglected. This methodology can be applied to any operating system and has been proven through implementation on Linux.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. EnCase Enterprise Edition, Detailed Product Description (November 2003), http://www.guidancesoftware.com/corporate/whitepapers/downloads/encase416.pdf

  2. Steps for Recovering from a UNIX or NT System Compromise. Technical Report, CERT Coordination Center (April 2000), http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

  3. United States Secret Service: Best Practices for Seizing Electronic Evidence, http://www.treas.gov/usss/electronic_evidence.shtml

  4. United States Supreme Court. Daubert v. Merrell Dow Pharmaceuticals Syllabus (June 28, 1993)

    Google Scholar 

  5. Carrier, B., Grand, J.: A Hardware-Based Memory Acquisition Procedure for Digital Investigations. Digital Investigation 1(1), 50–60 (2004)

    Article  Google Scholar 

  6. Prosise, C., Mandia, K., Pepe, M.: Incident Response and Computer Forensics, 2nd edn. McGraw- Hill Osborne Media, New York (2003)

    Google Scholar 

  7. Ring, S., Cole, E.: Detecting and Dealing with New Rootkits. Sys. Admin. Magazine, 28–33 (August 2003)

    Google Scholar 

  8. Ring, S., Cole, E.: Taking a Lesson from Stealthy Rootkits. IEEE Security & Privacy 2(4), 38–45 (2004)

    Article  Google Scholar 

  9. Rose., C.: Windows Live Incident Response Volatile Data Collection: Non-disruptive User and System Memory Forensics Analysis, http://www.sytexif.com/whitepaper.htm

Download references

Author information

Authors and Affiliations

  1. The Sytex Group, Incorporated, Advanced Technology Research Center, 1934 Old Gallows Road, Suite 601, Vienna, VA, 22182, USA

    Sandra Ring & Eric Cole

Authors
  1. Sandra Ring
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eric Cole
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Information and Communication Technologies, University of A Coruña, Spain

    Javier Lopez

  2. Chinese Academy of Sciences, Institute of Softwear, 100080, Beijing, China

    Sihan Qing

  3. Graduate School of Systems and Information Engineering, University of Tsukuba, 1-1-1 Tennodai, Tsukuba, 305-8573, Ibaraki, Japan

    Eiji Okamoto

Rights and permissions

Reprints and permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ring, S., Cole, E. (2004). Volatile Memory Computer Forensics to Detect Kernel Level Compromise. In: Lopez, J., Qing, S., Okamoto, E. (eds) Information and Communications Security. ICICS 2004. Lecture Notes in Computer Science, vol 3269. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30191-2_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-30191-2_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-23563-7

  • Online ISBN: 978-3-540-30191-2

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation