Computer Security, Forensics and Ethical Hacking
Discussion Forum: Forensics Investigation
advantage of memory forensics compared to a traditional forensics investigation method.
Volatile memory analysis has become a significant part of the digital investigation because there is digital evidence that resides only in physical memory (RAM) and nothing is written to the hard disk that indicates its presence. Code Red, Witty, and SQL Slammer are examples of worms where their presence are only evident in Memory (RAM) and not on the hard disk. The acquisition of volatile data is one of the first steps in incident handling that is executed in the containment phase. Well-known incident handling guides emphasize the importance of performing digital evidence acquisition in a timely manner based on volatility order. Conventionally, the collection of volatile data from a system under investigation is performed through live response. This is where the first responder utilizes trusted binaries that are self-compiled with their own libraries in order to not rely completely on the compromised system in the collection of digital evidence. In fact, this method still depends on untrusted code which could have been modified by the attacker since these binaries along with their libraries use the system calls to contact the kernel. The other method of investigating volatile data is to perform a memory image analysis of the investigated system, which can be used as an alternative to live response. The later usually utilizes system administration tools to retrieve information about the system state from kernel space and it may include dumping user space tasks, whereas memory analysis captures and images all the volatile data in the memory. This method can reveal critical information that is not included in the live response approach such as hidden and terminated processes compared to the live response method, memory image analysis reduces the impact to the investigated system because it does not load additional processes on the system in the same way or to the extent that live response does. The incident handler would perform only one action, a physical memory capture, to minimize the footprint on the system in question. The compromised system is not completely depended upon to retrieve the volatile evidence, as offline memory analysis which is repeatable and allows questions to be asked later, can be carried out.