Extraction of forensically sensitive information from windows physical memory

Forensic analysis of physical memory is gaining good attention from experts in the community especially after recent development of valuable tools and techniques. Investigators find it very helpful to seize physical memory contents and perform post-incident analysis of this potential evidence. Most of the research carried out focus on enumerating processes and threads by accessing memory resident objects. To collect case-sensitive information from the extracted memory content, the existing techniques usually rely on string matching. The most important contribution of the paper is a new technique for extracting sensitive information from physical memory. The technique is based on analyzing the call stack and the security sensitive APIs. It allows extracting sensitive information that cannot be extracted by string matching-based techniques. In addition, the paper leverages string matching to get a more reliable technique for analyzing and extracting what we called “application/protocol fingerprints”. The proposed techniques and their implementation target the machines running under the Windows XP (SP1, SP2) operating system.     

Integrity verification of user space code

We present a novel approach for the construction and application of cryptographic hashes to user space memory for the purposes of verifying the provenance of code in memory images. Several key aspects of Windows behaviour which influence this process are examined in-depth. Our approach is implemented and evaluated on a selection of malware samples with user space components as well as a collection of common Windows applications. The results demonstrate that our approach is highly effective at reducing the amount of memory requiring manual analysis, highlighting the presence of malicious code in all the malware sampled.     

Specifying digital forensics: A forensics policy approach

In this paper we present an approach to digital forensics specification based on forensic policy definition. Our methodology borrows from computer security policy specification, which has accumulated a significant body of research over the past 30 years. We first define the process of specifying forensics properties through a forensics policy and then present an example application of the process. This approach lends itself to formal policy specification and verification, which would allow for more clarity and less ambiguity in the specification process.     

Surveying the user space through user allocations

Previous research into memory forensics has focused on understanding the structure and contents of the kernel space portions of physical memory, and mostly ignored the contents of the user space. This paper describes the results of a survey of user space virtual address allocations in the Windows XP and Windows 7 operating systems, comprehensively identifying the kernel and user space metadata required to identify such allocations. New techniques for determining the role and content of those allocations are identified, significantly increasing the proportion of allocations for which the role and function is understood. The validity of this approach is evaluated and a detailed analysis of the data structures involved provided. An implementation of this approach is presented which is capable of identifying all user space allocations, and for those allocations identifying for a high percentage, the role of those allocations, even for complex applications.     

Treasure and tragedy in kmem_cache mining for live forensics investigation

This paper presents the first deep investigation of the kmem_cache facility in Linux from a forensics perspective. The kmem_cache is used by the Linux kernel to quickly allocate and deallocate kernel structures associated with processes, files, and the network stack. Our focus is on deallocated information that remains in the cache and the major contribution of this paper is to illustrate what forensically relevant information can be retrieved from the kmem_cache and what information is definitively not retrievable. We show that the kmem_cache contains a wealth of digital evidence, much of which was either previously unavailable or difficult to obtain, requiring ad hoc methods for extraction. Previously executed processes, memory mappings, sent and received network packets, NAT translations, accessed file system inodes, and more can all be recovered through examination of the kmem_cache contents. We also discuss portable methods for erasing this information, to ensure that private data is no longer recoverable.     

The impact of Microsoft Windows pool allocation strategies on memory forensics

An image of a computer's physical memory can provide a forensic examiner with a wealth of information. A small area of system memory, the nonpaged pool, contains lots of information about currently and formerly active processes. As this paper shows, more than 90% of such information can be retrieved even 24 h after process termination under optimum conditions.Great care must be taken as the acquisition process usually affects the memory contents to be acquired. In order minimize the impact on volatile data, this paper for the first time analyzes the pool allocation mechanism of the Microsoft Windows operating system. It describes a test arrangement, which allows to obtain a time series of physical memory images, while it also reduces the effect on the observed operating system.Using this environment it was found that allocations from the nonpaged pool are reused based on their size and a last in-first out schedule. In addition, a passive memory compaction strategy may apply. So, the creation of a new object is likely to eradicate the evidence of an object of the same class that was destructed just before. The paper concludes with a discussion of the implications for incident response procedures, forensic examinations, and the creation of forensic tools.     

Scanning memory with Yara

Memory analysis has been successfully utilized to detect malware in many high profile cases. The use of signature scanning to detect malicious tools is becoming an effective triaging and first response technique. In particular, the Yara library and scanner has emerged as the defacto standard in malware signature scanning for files, and there are many open source repositories of yara rules. Previous attempts to incorporate yara scanning in memory analysis yielded mixed results. This paper examines the differences between applying Yara signatures on files and in memory and how yara signatures can be developed to effectively search for malware in memory. For the first time we document a technique to identify the process owner of a physical page using the Windows PFN database. We use this to develop a context aware Yara scanning engine which can scan all processes simultaneously using a single pass over the physical image.     

The impact of Microsoft Windows pool allocation strategies on memory forensics

An image of a computer's physical memory can provide a forensic examiner with a wealth of information. A small area of system memory, the nonpaged pool, contains lots of information about currently and formerly active processes. As this paper shows, more than 90% of such information can be retrieved even 24 h after process termination under optimum conditions.Great care must be taken as the acquisition process usually affects the memory contents to be acquired. In order minimize the impact on volatile data, this paper for the first time analyzes the pool allocation mechanism of the Microsoft Windows operating system. It describes a test arrangement, which allows to obtain a time series of physical memory images, while it also reduces the effect on the observed operating system.Using this environment it was found that allocations from the nonpaged pool are reused based on their size and a last in-first out schedule. In addition, a passive memory compaction strategy may apply. So, the creation of a new object is likely to eradicate the evidence of an object of the same class that was destructed just before. The paper concludes with a discussion of the implications for incident response procedures, forensic examinations, and the creation of forensic tools.     

Automated mapping of large binary objects using primitive fragment type classification

Security analysts, reverse engineers, and forensic analysts are regularly faced with large binary objects, such as executable and data files, process memory dumps, disk images and hibernation files, often Gigabytes or larger in size and frequently of unknown, suspect, or poorly documented structure. Binary objects of this magnitude far exceed the capabilities of traditional hex editors and textual command line tools, frustrating analysis. This paper studies automated means to map these large binary objects by classifying regions using a multi-dimensional, information-theoretic approach. We make several contributions including the introduction of the binary mapping metaphor and its associated applications, as well as techniques for type classification of low-level binary fragments. We validate the efficacy of our approach through a series of classification experiments and an analytic case study. Our results indicate that automated mapping can help speed manual and automated analysis activities and can be generalized to incorporate many low-level fragment classification techniques.     

证人的目击面孔心理重建及认知检测

提取目击证人对犯罪嫌疑人的面孔记忆是一项困难的工作,由于证人在识记面孔时有多种影响因素,在提取和再认记忆时又会有各种认知因素的影响,导致面孔心理重建的失真。因此,从认知心理学和实验心理学的角度入手,分析影响心理重建的因素,并用最佳的手段提取记忆,可以使面孔重建的可靠性最大化。认知相关电位在记忆检测领域的日臻完善,使目击证人的再认正确与否有了可靠的参照,从记忆反应的脑电图形分析,可以有效判断证人对列队辨认中的面孔是否存有记忆。     

Anti-forensic resilient memory acquisition

Memory analysis has gained popularity in recent years proving to be an effective technique for uncovering malware in compromised computer systems. The process of memory acquisition presents unique evidentiary challenges since many acquisition techniques require code to be run on a potential compromised system, presenting an avenue for anti-forensic subversion. In this paper, we examine a number of simple anti-forensic techniques and test a representative sample of current commercial and free memory acquisition tools. We find that current tools are not resilient to very simple anti-forensic measures. We present a novel memory acquisition technique, based on direct page table manipulation and PCI hardware introspection, without relying on operating system facilities - making it more difficult to subvert. We then evaluate this technique's further vulnerability to subversion by considering more advanced anti-forensic attacks.     

A visual approach to interpreting NAND flash memory

The research described in this paper proposes methods for visually interpreting the content of raw NAND flash memory images into higher level visual artefacts of assistance in reverse engineering and interpreting flash storage formats. A novel method of reverse engineering the structure and layout of individual memory locations within NAND flash images, based on injecting a known signal into a test NAND environment is also proposed. Omissions in the current theory of operation of flash, in particular the role of flash memory controllers in transforming the raw NAND are identified, clarifying the cause of variations seen between images taken using pseudo physical and raw physical techniques. The effectiveness of the approach is validated against raw NAND images from YAFFS2 based Android phones, taken via JTAG and chip-off methods.     

针对进程用户空间的电子数据取证方法研究

进程用户空间中的信息往往与特定用户的特定操作行为直接关联,对于证据链的建立意义重大.从数目繁多的用户空间数据结构中筛选出最重要的三种：进程环境块、线程环境块与虚拟地址描述符,说明其定位方法,并重点讨论其结构格式的电子数据取证特性,为内存空间电子数据取证提供了新的思路与方法.实例分析部分,则以目前广泛使用的Windows 7操作系统为应用背景,说明了所述方法的具体应用.     

BodySnatcher: Towards reliable volatile memory acquisition by software

Recently there has been a surge in interest in memory forensics: the acquisition and analysis of the contents of physical memory obtained from live hosts. The emergence of kernel level rootkits, anti-forensics, and the threat of subversion that they pose threatens to undermine the reliability of such memory images and digital evidence in general. In this paper we propose a method of acquiring the contents of volatile memory from arbitrary operating systems in a manner that provides point in time atomic snapshots of the host OS volatile memory. Additionally the method is more resistant to subversion due to its reduced attack surface. Our method is to inject an independent, acquisition specific OS into the potentially subverted host OS kernel, snatching full control of the host's hardware. We describe an implementation of this proposal, which we call BodySnatcher, which has demonstrated proof of concept by acquiring memory from Windows 2000 operating systems.     

Uncertainty about the true source. A note on the likelihood ratio at the activity level

This paper focuses on likelihood ratio based evaluations of fibre evidence in cases in which there is uncertainty about whether or not the reference item available for analysis - that is, an item typically taken from the suspect or seized at his home - is the item actually worn at the time of the offence. A likelihood ratio approach is proposed that, for situations in which certain categorical assumptions can be made about additionally introduced parameters, converges to formula described in existing literature. The properties of the proposed likelihood ratio approach are analysed through sensitivity analyses and discussed with respect to possible argumentative implications that arise in practice.     

Memories of childhood sexual abuse: narrative analyses of types, experiences, and processes of remembering

The study explored types of memory for childhood sexual abuse (CSA) in a clinical sample of 30 women and identified factors that led some women (n = 24) to report recovered memories. Questionnaires produced three types of memory: always (n = 6), recovered (n = 14), both (n = 10); however, analysis of narrative data also revealed the use of language that could not be categorized into discrete types. Recovered memories were linked to three categories of experience (cumulative reactions, atypical reactions, and atypical experiences). Subcategories identified specific contexts associated with those experiences. Findings suggest that further research is needed on the phenomenology of memory experiences using language derived from CSA survivors and a better understanding of the long-term process of interpretations of key experiences that result in reports of recovered memories.     

The detection of deception with the reality monitoring approach: a review of the empirical evidence

One of the verbal approaches to the detection of deceit is based on research on human memory that tries to identify the characteristics that differentiate between internal and external memories (reality monitoring). This approach has attempted to extrapolate the contributions of reality monitoring (RM) research to the deception area. In this paper, we have attempted to review all available studies conducted in several countries in order to yield some general conclusions concerning the discriminative power of this approach. Regarding individual criteria, the empirical results are not very encouraging: few criteria discriminate significantly across studies, and there are several variables that moderate their effect. Some of the contradictory findings may have emerged because of differences in the operationalizations and procedures used across individual studies. However, more promising results have been reported in recent studies, and the approach as a whole appears to discriminate above chance level, reaching accuracy rates that are similar to those of criteria-based content analysis (CBCA). Some suggestions for future research are made.     

A mathematical approach to NAND flash-memory descrambling and decoding

New mathematical techniques for analysis of raw dumps of NAND flash memory were developed. These techniques are aimed at detecting, by analysis of the raw NAND flash dump only, the use of LFSR-based scrambling and the use of a binary cyclic code for error-correction. If detected, parameter values for both LFSR and cyclic error-correcting code are determined simultaneously. These can subsequently be applied to expose the content of memory pages in the raw NAND flash dump and prepare these for further processing with media analysis tools. The techniques were tested on raw NAND flash memory dumps of four different devices and in all cases LFSR-based scrambling and binary cyclic error-correcting codes were in use.     

Forensic analysis of the Windows registry in memory

This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.