Abstract
The analysis of computer memory is becoming increasingly important in digital forensic investigations. Volatile memory analysis can provide valuable indicators on what to search for on a hard drive, help recover passwords to encrypted hard drives and possibly refute defense claims that criminal activity was the result of a malware infection. Historically, digital forensic investigators have performed live response by executing multiple utilities. However, using a single tool to capture and analyze computer memory is more efficient and has less impact on the system state (potential evidence). This paper describes CMAT, a self-contained tool that extracts forensic information from a memory dump and presents it in a format that is suitable for further analysis. A comparison of the results obtained with utilities that are commonly employed in live response demonstrates that CMAT provides similar information and identifies malware that is missed by the utilities.
Chapter PDF
Similar content being viewed by others
References
A. Boileau, Hit by a bus: Physical access attacks with FireWire (www.storm.net.nz/static/files/ab_firewire_rux2k6-final.pdf), 2006.
S. Brenner, B. Carrier and J. Henninger, The Trojan Horse Defense in Cybercrime Cases, CERIAS Tech Report 2005-15, Center for Education and Research in Information Assurance and Security, Purdue University, West Lafayette, Indiana, 2005.
B. Carrier, File System Forensic Analysis, Pearson, Upper Saddle River, New Jersey, 2005.
B. Carrier and J. Grand, A hardware-based memory acquisition procedure for digital investigations, Digital Investigation, vol. 1(1), pp. 50–60, 2004.
H. Carvey, Windows Forensic Analysis, Syngress, Burlington, Massachusetts, 2007.
B. Dolan-Gavitt, Finding kernel global variables in Windows (mo yix.blogspot.com/2008/04/finding-kernel-global-variables-in.html), April 16, 2008.
B. Dolan-Gavitt, Forensic analysis of the Windows registry in memory, Digital Investigation, vol. 5(S), pp. S26–S32, 2008.
B. Dolan-Gavitt, Linking processes to users (moyix.blogspot.com /2008/08/linking-processes-to-users.html), August 16, 2008.
E. Libster and J. Kornblum, A proposal for an integrated memory acquisition mechanism, ACM SIGOPS Operating Systems Review, vol. 42(3), pp. 14–20, 2008.
K. Mandia, C. Prosise and M. Pepe, Incident Response and Computer Forensics, McGraw-Hill/Osborne, Emeryville, California, 2003.
Mandiant, Memoryze, Washington, DC (www.mandiant.com/software/memoryze.htm).
ManTech, Memory DD, Vienna, Virginia (cybersolutions.mantech.com/products.htm).
National Institite of Justice, Electronic Crime Scene Investigation: An On-the-Scene Reference for First Responders, U.S. Department of Justice, Washington, DC, 2009.
M. Russinovich, Sysinternals Suite, Microsoft Corporation, Redmond, Washington (technet.microsoft.com/en-us/sysinternals/bb842062.aspx).
M. Russinovich and D. Solomon, Microsoft Windows Internals, Microsoft Press, Redmond, Washington, 2005.
J. Rutkowska, Beyond the CPU: Defeating hardware-based RAM acquisition (Part I: AMD case), presented at the Black Hat DC 2007 Conference (www.first.org/conference/2007/papers/rutkowska-joa nna-slides.pdf), 2007.
A. Schuster, PTfinder (version 0.2.00), Bonn, Germany (computer.forensikblog.de/en/2006/03/ptfinder_0_2_00.html), 2006.
A. Schuster, Searching for processes and threads in Microsoft Windows memory dumps, Digital Investigation, vol. 3(S), pp. S10–S16, 2006.
S. Shankland, Amazon suffers U.S. outage on Friday, CNET, San Francisco, California (news.cnet.com/8301-10784_3-9962010-7.html), June 6, 2008.
P. Silberman, FUTo, Uninformed, vol. 3 (www.uninformed.org/?v=3&a=7&t=sumry), January 2006.
SourceForge.net, Memparser (sourceforge.net/projects/memparser), 2006.
M. Suiche, Sandman Project (sandman.msuiche.net/docs/SandMan_Project.pdf), 2008.
M. Suiche, win32dd (win32dd.msuiche.net).
I. Sutherland, J. Evans, T. Tryfonas and A. Blyth, Acquiring volatile operating system data: Tools and techniques, ACM SIGOPS Operating Systems Review, vol. 42(3), pp. 65–73, 2008.
A. Walters and N. Petroni, Volatools: Integrating volatile memory forensics into the digital investigation process, presented at Blackhat Hat DC 2007 Conference (www.blackhat.com/presentations/bh-dc-07/Walters/Paper/bh-dc-07-Walters-WP.pdf), 2007.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 International Federation for Information Processing
About this paper
Cite this paper
Okolica, J., Peterson, G. (2010). A Compiled Memory Analysis Tool. In: Chow, KP., Shenoi, S. (eds) Advances in Digital Forensics VI. DigitalForensics 2010. IFIP Advances in Information and Communication Technology, vol 337. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15506-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-15506-2_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15505-5
Online ISBN: 978-3-642-15506-2
eBook Packages: Computer ScienceComputer Science (R0)