A visual approach to interpreting NAND flash memory

The research described in this paper proposes methods for visually interpreting the content of raw NAND flash memory images into higher level visual artefacts of assistance in reverse engineering and interpreting flash storage formats. A novel method of reverse engineering the structure and layout of individual memory locations within NAND flash images, based on injecting a known signal into a test NAND environment is also proposed. Omissions in the current theory of operation of flash, in particular the role of flash memory controllers in transforming the raw NAND are identified, clarifying the cause of variations seen between images taken using pseudo physical and raw physical techniques. The effectiveness of the approach is validated against raw NAND images from YAFFS2 based Android phones, taken via JTAG and chip-off methods.     

Forensic memory analysis: Files mapped in memory

In this paper we describe a method for recovering files mapped in memory and to link mapped-file information process data. This information is forensically interesting, because it helps determine the origin and usage of the file and because it reduces the amount of unidentified data in a memory dump. To find mapped-file content, we apply several different techniques. Together, these techniques can identify approximately 25% of test memory dumps as being part of a memory-mapped file.     

Forensic memory analysis: Files mapped in memory

In this paper we describe a method for recovering files mapped in memory and to link mapped-file information process data. This information is forensically interesting, because it helps determine the origin and usage of the file and because it reduces the amount of unidentified data in a memory dump. To find mapped-file content, we apply several different techniques. Together, these techniques can identify approximately 25% of test memory dumps as being part of a memory-mapped file.     

Automated mapping of large binary objects using primitive fragment type classification

Security analysts, reverse engineers, and forensic analysts are regularly faced with large binary objects, such as executable and data files, process memory dumps, disk images and hibernation files, often Gigabytes or larger in size and frequently of unknown, suspect, or poorly documented structure. Binary objects of this magnitude far exceed the capabilities of traditional hex editors and textual command line tools, frustrating analysis. This paper studies automated means to map these large binary objects by classifying regions using a multi-dimensional, information-theoretic approach. We make several contributions including the introduction of the binary mapping metaphor and its associated applications, as well as techniques for type classification of low-level binary fragments. We validate the efficacy of our approach through a series of classification experiments and an analytic case study. Our results indicate that automated mapping can help speed manual and automated analysis activities and can be generalized to incorporate many low-level fragment classification techniques.     

Forensic analysis of newer TomTom devices

Today many investigations involve TomTom devices due to the wide-spread use of these navigation systems. The process of acquiring a memory dump from the first generation of TomTom devices was relatively easy by utilising the USB-connection and standard forensic tools. Newer devices, however, do not provide this or any other readily available data connection, making the task much more complex. In addition to existing and relatively complex chip-extraction procedures, an easier data acquisition method was developed without the need to de-solder flash memory chips. The presence of new files and the differences in data formats found in these devices meant that new methods of data analysis and decoding also needed to be developed.     

Forensic analysis of the Windows registry in memory

This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.     

Forensic analysis of the Windows registry in memory

This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.     

Descrambling data on solid-state disks by reverse-engineering the firmware

Data recovery is an important component of digital forensic research. Although recovering data from hard drives or small-scale mobile devices has been well studied, solid-state disks (SSDs) have a very different internal architecture and some additional functions, and it is not clear whether these differences will have an effect on data recovery. Data scrambling is an additional function of an SSD controller which can improve data reliability, but makes data recovery difficult. In this research, the dedicated flash software was first introduced that can acquire the physical image of an SSD without destroying the device hardware. Based on the software, a validation experiment was presented to evaluate the effect of data scrambling on data recovery and the causes of the effect were analyzed. Then two approaches to descrambling the data in the flash chips were proposed and their advantages and disadvantages discussed. After that, a procedure to identify the scrambling seeds that are used to descramble the scrambled data was described. Finally, descrambling software was implemented based on the second descrambling method. The experiment shows that this software can successfully descramble the data from an SSD flash drive regardless of the internal structure of the scrambler in the SSD controller and can generate an unscrambled physical image on which most existing data-recovery techniques can be effective.     

Secure USB bypassing tool

As storage capacity increases due to development of flash memory techniques, use of USB memory has increased. As use of USB memory increases, violations of privacy and company confidentiality and technical information leakage occur more often. In this context, use of USB memories that provide security functions to protect the data in them is increasing. Most USB memories are equipped with basic security functions offered by the USB flash drive controller (hereafter called the “USB controller”). However, USB-controller-based security functions have several vulnerabilities. This paper explains how security functions can be bypassed using USB controller commands and presents the design and implementation of a secure USB bypassing tool that bypass the USB security functions.     

Dynamic recreation of kernel data structures for live forensics

The role of live forensics in digital forensic investigations has become vital due to the importance of volatile data such as encryption keys, network activity, currently running processes, in memory only malware, and other key pieces of data that are lost when a device is powered down. While the technology to perform the first steps of a live investigation, physical memory collection and preservation, is available, the tools for completing the remaining steps remain incomplete. First-generation memory analyzers performed simple string and regular expression operations on the memory dump to locate data such as passwords, credit card numbers, fragments of chat conversations, and social security numbers. A more in-depth analysis can reveal information such as running processes, networking information, open file data, loaded kernel modules, and other critical information that can be used to gain insight into activity occurring on the machine when a memory acquisition occurred. To be useful, tools for performing this in-depth analysis must support a wide range of operating system versions with minimum configuration. Current live forensics tools are generally limited to a single kernel version, a very restricted set of closely related versions, or require substantial manual intervention.This paper describes techniques developed to allow automatic adaptation of memory analysis tools to a wide range of kernel versions. Dynamic reconstruction of kernel data structures is obtained by analyzing the memory dump for the instructions that reference needed kernel structure members. The ability to dynamically recreate C structures used within the kernel allows for a large amount of information to be obtained and processed. Currently, this capability is used within a tool called RAMPARSER that is able to simulate commands such as ps and netstat as if an investigator were sitting at the machine at the time of the memory acquisition. Other applications of the developed capabilities include kernel-level malware detection, recovery of processes memory and file mappings, and other areas of forensics interest.     

Anti-forensic resilient memory acquisition

Memory analysis has gained popularity in recent years proving to be an effective technique for uncovering malware in compromised computer systems. The process of memory acquisition presents unique evidentiary challenges since many acquisition techniques require code to be run on a potential compromised system, presenting an avenue for anti-forensic subversion. In this paper, we examine a number of simple anti-forensic techniques and test a representative sample of current commercial and free memory acquisition tools. We find that current tools are not resilient to very simple anti-forensic measures. We present a novel memory acquisition technique, based on direct page table manipulation and PCI hardware introspection, without relying on operating system facilities - making it more difficult to subvert. We then evaluate this technique's further vulnerability to subversion by considering more advanced anti-forensic attacks.     

Integrity verification of user space code

We present a novel approach for the construction and application of cryptographic hashes to user space memory for the purposes of verifying the provenance of code in memory images. Several key aspects of Windows behaviour which influence this process are examined in-depth. Our approach is implemented and evaluated on a selection of malware samples with user space components as well as a collection of common Windows applications. The results demonstrate that our approach is highly effective at reducing the amount of memory requiring manual analysis, highlighting the presence of malicious code in all the malware sampled.     

手机物证检验及其在刑事侦查中的应用

随着移动通信技术的迅速发展和广泛应用,手机内部包含的信息已经成为犯罪侦查重要的线索和证据来源。采用专门的符合物证鉴定原理要求的技术方法检验手机的SIM卡存储器、主板存储器和闪存卡,可以获得大量的手机使用者个人信息、通信内容信息、通信发生信息、使用者写入存储信息和手机设置信息等大量信息资料。手机检验结果给出的这些信息具有非常高的侦查和证据价值的,手机也因此成为物证鉴定领域内一个新的检验对象。     

Forensic carving of network packets and associated data structures

Using validated carving techniques, we show that popular operating systems (e.g. Windows, Linux, and OSX) frequently have residual IP packets, Ethernet frames, and associated data structures present in system memory from long-terminated network traffic. Such information is useful for many forensic purposes including establishment of prior connection activity and services used; identification of other systems present on the system’s LAN or WLAN; geolocation of the host computer system; and cross-drive analysis. We show that network structures can also be recovered from memory that is persisted onto a mass storage medium during the course of system swapping or hibernation. We present our network carving techniques, algorithms and tools, and validate these against both purpose-built memory images and a readily available forensic corpora. These techniques are valuable to both forensics tasks, particularly in analyzing mobile devices, and to cyber-security objectives such as malware analysis.     

Content triage with similarity digests: The M57 case study

In this work we illustrate the use of similarity digests for the purposes of forensic triage. We use a case that consists of 1.5 TB of raw data, including disk images, network captures, RAM snapshots, and USB flash media. We demonstrate that by applying similarity digests in a systematic manner, the scope of examination can be narrowed down within a matter of minutes to hours. In contrast, conventional manual examination of all the data may require several days, and its effectiveness relies substantially on the experience of the investigator.     

Using every part of the buffalo in Windows memory analysis

All Windows memory analysis techniques depend on the examiner's ability to translate the virtual addresses used by programs and operating system components into the true locations of data in a memory image. In some memory images up to 20% of all the virtual addresses in use point to so called “invalid” pages that cannot be found using a naive method for address translation. This paper explains virtual address translation, enumerates the different states of invalid memory pages, and presents a more robust strategy for address translation. This new method incorporates invalid pages and even the paging file to greatly increase the completeness of the analysis. By using every available page, every part of the buffalo as it were, the examiner can better recreate the state of the machine as it existed at the time of imaging.     

Scalable code clone search for malware analysis

Reverse engineering is the primary step to analyze a piece of malware. After having disassembled a malware binary, a reverse engineer needs to spend extensive effort analyzing the resulting assembly code, and then documenting it through comments in the assembly code for future references. In this paper, we have developed an assembly code clone search system called ScalClone based on our previous work on assembly code clone detection systems. The objective of the system is to identify the code clones of a target malware from a collection of previously analyzed malware binaries. Our new contributions are summarized as follows: First, we introduce two assembly code clone search methods for malware analysis with a high recall rate. Second, our methods allow malware analysts to discover both exact and inexact clones at different token normalization levels. Third, we present a scalable system with a database model to support large-scale assembly code search. Finally, experimental results on real-life malware binaries suggest that our proposed methods can effectively identify assembly code clones with the consideration of different scenarios of code mutations.     

Out of sight,but not out of mind: Traces of nearby devices' wireless transmissions in volatile memory

An IEEE 802.11 wireless device can leave traces of its presence in the volatile memories of nearby wireless devices. While the devices need to be in radio range of each other for this to happen, they do not need to be connected to the same network—or to any network at all. Traces appear in the form of full wire-type frames; a residue of the signals in the ether. We examine types of information that can be extracted from such residual frames and explore the conditions under which traces develop and persist. Their availability is determined by factors in both in the external environment (the types of signals in the ether) and the internal environment (the configuration and particulars of a device's wifi stack). To isolate some of these factors, we have created memory dumps of devices in various environments and configurations. Analysis of the dumps has offered insights into the conditions determining creation and decay of the traces. The results indicate that they will be available in a limited number of real-world scenarios. We conclude with practical advice on triaging and preservation.     

Extraction of forensically sensitive information from windows physical memory

Forensic analysis of physical memory is gaining good attention from experts in the community especially after recent development of valuable tools and techniques. Investigators find it very helpful to seize physical memory contents and perform post-incident analysis of this potential evidence. Most of the research carried out focus on enumerating processes and threads by accessing memory resident objects. To collect case-sensitive information from the extracted memory content, the existing techniques usually rely on string matching. The most important contribution of the paper is a new technique for extracting sensitive information from physical memory. The technique is based on analyzing the call stack and the security sensitive APIs. It allows extracting sensitive information that cannot be extracted by string matching-based techniques. In addition, the paper leverages string matching to get a more reliable technique for analyzing and extracting what we called “application/protocol fingerprints”. The proposed techniques and their implementation target the machines running under the Windows XP (SP1, SP2) operating system.