Forensic analysis of the Windows registry in memory

This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.     

Persistent systems techniques in forensic acquisition of memory

In this paper we discuss how operating system design and implementation influence the methodology for computer forensics investigations, with the focus on forensic acquisition of memory. In theory the operating system could support such investigations both in terms of tools for analysis of data and by making the system data readily accessible for analysis. Conventional operating systems such as Windows and UNIX derivatives offer some memory-related tools that are geared towards the analysis of system crashes, rather than forensic investigations. In this paper we demonstrate how techniques developed for persistent operating systems, where lifetime of data is independent of the method of its creation and storage, could support computer forensics investigations delivering higher efficiency and accuracy. It is proposed that some of the features offered by persistent systems could be built into conventional operating systems to make illicit activities easier to identify and analyse. We further propose a new technique for forensically sound acquisition of memory based on the persistence paradigm.     

Anti-forensic resilient memory acquisition

Memory analysis has gained popularity in recent years proving to be an effective technique for uncovering malware in compromised computer systems. The process of memory acquisition presents unique evidentiary challenges since many acquisition techniques require code to be run on a potential compromised system, presenting an avenue for anti-forensic subversion. In this paper, we examine a number of simple anti-forensic techniques and test a representative sample of current commercial and free memory acquisition tools. We find that current tools are not resilient to very simple anti-forensic measures. We present a novel memory acquisition technique, based on direct page table manipulation and PCI hardware introspection, without relying on operating system facilities - making it more difficult to subvert. We then evaluate this technique's further vulnerability to subversion by considering more advanced anti-forensic attacks.     

BodySnatcher: Towards reliable volatile memory acquisition by software

Recently there has been a surge in interest in memory forensics: the acquisition and analysis of the contents of physical memory obtained from live hosts. The emergence of kernel level rootkits, anti-forensics, and the threat of subversion that they pose threatens to undermine the reliability of such memory images and digital evidence in general. In this paper we propose a method of acquiring the contents of volatile memory from arbitrary operating systems in a manner that provides point in time atomic snapshots of the host OS volatile memory. Additionally the method is more resistant to subversion due to its reduced attack surface. Our method is to inject an independent, acquisition specific OS into the potentially subverted host OS kernel, snatching full control of the host's hardware. We describe an implementation of this proposal, which we call BodySnatcher, which has demonstrated proof of concept by acquiring memory from Windows 2000 operating systems.     

In‐Depth Analysis of Computer Memory Acquisition Software for Forensic Purposes

The comparison studies on random access memory (RAM) acquisition tools are either limited in metrics or the selected tools were designed to be executed in older operating systems. Therefore, this study evaluates widely used seven shareware or freeware/open source RAM acquisition forensic tools that are compatible to work with the latest 64‐bit Windows operating systems. These tools' user interface capabilities, platform limitations, reporting capabilities, total execution time, shared and proprietary DLLs, modified registry keys, and invoked files during processing were compared. We observed that Windows Memory Reader and Belkasoft's Live Ram Capturer leaves the least fingerprints in memory when loaded. On the other hand, ProDiscover and FTK Imager perform poor in memory usage, processing time, DLL usage, and not‐wanted artifacts introduced to the system. While Belkasoft's Live Ram Capturer is the fastest to obtain an image of the memory, Pro Discover takes the longest time to do the same job.     

Forensic carving of network packets and associated data structures

Using validated carving techniques, we show that popular operating systems (e.g. Windows, Linux, and OSX) frequently have residual IP packets, Ethernet frames, and associated data structures present in system memory from long-terminated network traffic. Such information is useful for many forensic purposes including establishment of prior connection activity and services used; identification of other systems present on the system’s LAN or WLAN; geolocation of the host computer system; and cross-drive analysis. We show that network structures can also be recovered from memory that is persisted onto a mass storage medium during the course of system swapping or hibernation. We present our network carving techniques, algorithms and tools, and validate these against both purpose-built memory images and a readily available forensic corpora. These techniques are valuable to both forensics tasks, particularly in analyzing mobile devices, and to cyber-security objectives such as malware analysis.     

Visualization in testing a volatile memory forensic tool

We have developed a tool to extract the contents of volatile memory of Apple Macs running recent versions of OS X, which has not been possible since OS X 10.4. This paper recounts our efforts to test the tool and introduces two visualization techniques for that purpose. We also introduce four metrics for evaluating physical memory imagers: correctness, completeness, speed, and the amount of “interference” an imager makes to the state of the machine. We evaluate our tool by these metrics and then show visualization using dotplots, a technique borrowed from bioinformatics, can be used to reveal bugs in the implementation and to evaluate correctness, completeness, and the amount of interference an imager has. We also introduce a visualization we call the density plot which shows the density of repeated pages at various addresses within an image. We use these techniques to evaluate our own tool, Apple’s earlier tools, and compare physical memory images to the hibernation file.     

Analyzing multiple logs for forensic evidence

Information stored in logs of a computer system is of crucial importance to gather forensic evidence of investigated actions or attacks. Analysis of this information should be rigorous and credible, hence it lends itself to formal methods. We propose a model checking approach to the formalization of the forensic analysis of logs. A set of logs is modeled as a tree whose labels are events extracted from the logs. In order to provide a structure to these events, we express each event as a term of algebra. The signature of the algebra is carefully chosen to include all relevant information necessary to conduct the analysis. Properties of the model, attack scenarios, and event sequences are expressed as formulas of a logic having dynamic, linear, temporal, and modal characteristics. Moreover, we provide a tableau-based proof system for this logic upon which a model checking algorithm can be developed. We use our model in a case study to demonstrate how events leading to an SYN attack can be reconstructed from a number of system logs.     

Extraction of forensically sensitive information from windows physical memory

Forensic analysis of physical memory is gaining good attention from experts in the community especially after recent development of valuable tools and techniques. Investigators find it very helpful to seize physical memory contents and perform post-incident analysis of this potential evidence. Most of the research carried out focus on enumerating processes and threads by accessing memory resident objects. To collect case-sensitive information from the extracted memory content, the existing techniques usually rely on string matching. The most important contribution of the paper is a new technique for extracting sensitive information from physical memory. The technique is based on analyzing the call stack and the security sensitive APIs. It allows extracting sensitive information that cannot be extracted by string matching-based techniques. In addition, the paper leverages string matching to get a more reliable technique for analyzing and extracting what we called “application/protocol fingerprints”. The proposed techniques and their implementation target the machines running under the Windows XP (SP1, SP2) operating system.     

The Linux FAT32 allocator and file creation order reconstruction

The allocation algorithm of the Linux FAT32 file system driver positions files on disk in such a way that their relative positions reveal information on the order in which these files have been created. This provides an opportunity to enrich information from (carved) file fragments with time information, even when such file fragments lack the file system metadata in which time-related information is usually to be found.Through source code analysis and experiments the behaviour of the Linux FAT allocator is examined. How an understanding of this allocator can be applied in practice is demonstrated with a case study involving a TomTom GPS car navigation device. In this case, time information played a crucial role. Large amounts of location records could be carved from this device's flash storage, yielding insight into the locations the device has visited—yet the carved records themselves offered no information on when the device had been at the locations. Still, bounds on the records' time of creation could be inferred when making use of filesystem timestamps related to neighbouring on-disk positions.Finally, we perform experiments which contrast the Linux behaviour with that of Windows 7. We show that the latter differs subtly, breaking the strong relation between creation order and position.     

Analyzing Data Remnant Remains on User Devices to Determine Probative Artifacts in Cloud Environment

Cloud storage service allows users to store their data online, so that they can remotely access, maintain, manage, and back up data from anywhere via the Internet. Although helpful, this storage creates a challenge to digital forensic investigators and practitioners in collecting, identifying, acquiring, and preserving evidential data. This study proposes an investigation scheme for analyzing data remnants and determining probative artifacts in a cloud environment. Using pCloud as a case study, this research collected the data remnants available on end‐user device storage following the storing, uploading, and accessing of data in the cloud storage. Data remnants are collected from several sources, including client software files, directory listing, prefetch, registry, network PCAP, browser, and memory and link files. Results demonstrate that the collected remnants data are beneficial in determining a sufficient number of artifacts about the investigated cybercrime.     

QUESTIONING SEQUENCES IN CANADIAN POLICE INTERVIEWS: CONSTRUCTING AND CONFIRMING THE COURSE OF EVENTS?

A content analysis of 19 Canadian police interviews with adult witnesses revealed that several of the interviewing strategies used by officers ran counter to the recommendations in the literature. Specifically, interviewers interrupted the witness more than was necessary, rarely employed any cognitive techniques to enhance memory recall and asked far more closed than open-ended questions. Further, in terms of the sequencing of questions, a pattern emerged across interviews that suggested that officers first “help” the witness construct the event and then, through a rapid sequence of “yes/no” questions, seek to confirm the account. We argue that this pattern of questioning may suggest that officers are pursuing an assumed version of events and that exploring interviews from a sequencing perspective may prove beneficial in identifying possible biased versions of events.     

The Politics of Memory/Errinerungspolitik and the Use and Propriety of Law in the Process of Memory Construction

The post-Second World War trial for the crime against humanity from the start assumed pedagogical proportions, with the tribunals involved conscious that their legal verdicts would represent historical pronouncement and national values. The newly defined crime has been asked to institutionalize far more than the traditional task of adjudicating the guilt or innocence of the defendant. The trials themselves are meant to define the past, create and crystallize national memory, and illuminate the foundations of the future. I suggest that, by placing a burden on law that it is not designed to bear,we risk deforming law and legal principle. We risk creating an edifice that will not be equal to the task of memory, that will trivialize the memory it seeks to establish and fortify and, worst of all, that may betray law itself by subverting it from within. This revised version was published online in July 2006 with corrections to the Cover Date.     

Dynamic recreation of kernel data structures for live forensics

The role of live forensics in digital forensic investigations has become vital due to the importance of volatile data such as encryption keys, network activity, currently running processes, in memory only malware, and other key pieces of data that are lost when a device is powered down. While the technology to perform the first steps of a live investigation, physical memory collection and preservation, is available, the tools for completing the remaining steps remain incomplete. First-generation memory analyzers performed simple string and regular expression operations on the memory dump to locate data such as passwords, credit card numbers, fragments of chat conversations, and social security numbers. A more in-depth analysis can reveal information such as running processes, networking information, open file data, loaded kernel modules, and other critical information that can be used to gain insight into activity occurring on the machine when a memory acquisition occurred. To be useful, tools for performing this in-depth analysis must support a wide range of operating system versions with minimum configuration. Current live forensics tools are generally limited to a single kernel version, a very restricted set of closely related versions, or require substantial manual intervention.This paper describes techniques developed to allow automatic adaptation of memory analysis tools to a wide range of kernel versions. Dynamic reconstruction of kernel data structures is obtained by analyzing the memory dump for the instructions that reference needed kernel structure members. The ability to dynamically recreate C structures used within the kernel allows for a large amount of information to be obtained and processed. Currently, this capability is used within a tool called RAMPARSER that is able to simulate commands such as ps and netstat as if an investigator were sitting at the machine at the time of the memory acquisition. Other applications of the developed capabilities include kernel-level malware detection, recovery of processes memory and file mappings, and other areas of forensics interest.     

Forensic memory analysis: Files mapped in memory

In this paper we describe a method for recovering files mapped in memory and to link mapped-file information process data. This information is forensically interesting, because it helps determine the origin and usage of the file and because it reduces the amount of unidentified data in a memory dump. To find mapped-file content, we apply several different techniques. Together, these techniques can identify approximately 25% of test memory dumps as being part of a memory-mapped file.     

Forensic memory analysis: Files mapped in memory

In this paper we describe a method for recovering files mapped in memory and to link mapped-file information process data. This information is forensically interesting, because it helps determine the origin and usage of the file and because it reduces the amount of unidentified data in a memory dump. To find mapped-file content, we apply several different techniques. Together, these techniques can identify approximately 25% of test memory dumps as being part of a memory-mapped file.     

Taking the bait: interrogation questions about hypothetical evidence may inflate perceptions of guilt

ABSTRACT

During suspect interviews, police will sometimes ask about hypothetical incriminating evidence to evoke a cue to deception – a technique known as a bait question. Previous research has demonstrated such questions can distort peoples’ memory for what evidence exists in a case. Here, we investigate whether such memory distortion can also cause people to see the suspect as more likely to be guilty. Across three experiments, we find exposure to bait questions led to participants hold inflated views of a suspect’s guilt. Further, we demonstrate bait questions cause reliable, robust memory distortion, leading participants to believe non-existent, incriminating evidence exists. However, we found no evidence to support the speculated mechanisms for this inflation – namely, (1) that source monitoring errors could lead people to misremember false evidence as real evidence and (2) that bait questions provide ‘key evidence’ to fill in the gaps of an incomplete theory of a case. In sum, bait questions have the problematic potential to shift jurors towards guilty verdicts. We suggest future research directions on bait questions, including the need for different designs to clarify why bait questions inflate guilt, and recommend practitioners avoid the use of bait questions.     

Robust Linux memory acquisition with minimal target impact

Software based Memory acquisition on modern systems typically requires the insertion of a kernel module into the running kernel. On Linux, kernel modules must be compiled against the exact version of kernel headers and the exact kernel configuration used to build the currently executing kernel. This makes Linux memory acquisition significantly more complex in practice, than on other platforms due to the number of variations of kernel versions and configurations, especially when responding to incidents. The Linux kernel maintains a checksum of kernel version and will generally refuse to load a module which was compiled against a different kernel version. Although there are some techniques to override this check, there is an inherent danger leading to an unstable kernel and possible kernel crashes. This paper presents a novel technique to safely load a pre-compiled kernel module for acquisition on a wide range of Linux kernel versions and configuration. Our technique injects a minimal acquisition module (parasite) into another valid kernel module (host) already found on the target system. The resulting combined module is then relinked in such a way as to grant code execution and control over vital data structures to the acquisition code, whilst the host module remains dormant during runtime.     

Cardiac Implantable Medical Devices forensics: Postmortem analysis of lethal attacks scenarios

Cardiac Implantable Medical devices (IMD) are increasingly being used by patients to benefit from their therapeutic and life-saving functions. These medical devices are surgically implanted into patient's bodies and wirelessly configured by prescribing physicians and healthcare professionals using external programmers. However, these devices are threatened by a set of lethal attacks, due to the use of vulnerable wireless communication and security protocols, and the lack of security protection mechanisms deployed on IMDs.In this paper, we propose a digital investigation system for the postmortem analysis of lethal attack scenarios on cardiac IMDs. After developing a set of techniques allowing the secure storage of digital evidence logs which track the executed sensitive events, we implement an in-depth security solution allowing the protection of cardiac IMDs. An inference system integrating a library of medical rules is proposed to automatically infer potential medical scenarios that caused the patient's death, or that created heart-related emergency situations (through the occurrence of ventricular tachycardia for example). A Model Checking based formal technique to reconstruct potential technical attack scenarios on a cardiac IMD, starting from the collected evidence, is also proposed. The results obtained by the two proposed reasoning techniques (i.e., the inference system and the Model Checking based algorithm) are correlated to prove whether a potential attack scenario is responsible of the occurrence of heart-related emergency situations or the death of a patient. Based on the proposed techniques, we design a decision-support system that reconciles in the same framework the medical and technical investigation aspects.     

Integrity verification of user space code

We present a novel approach for the construction and application of cryptographic hashes to user space memory for the purposes of verifying the provenance of code in memory images. Several key aspects of Windows behaviour which influence this process are examined in-depth. Our approach is implemented and evaluated on a selection of malware samples with user space components as well as a collection of common Windows applications. The results demonstrate that our approach is highly effective at reducing the amount of memory requiring manual analysis, highlighting the presence of malicious code in all the malware sampled.