Advanced Topic: Memory Imaging
Xinwen Fu
91.460.201 & 91.530.202 Selected Topics: Digital
Forensics
Brian D. Carrier and Joe Grand, A Hardware-Based Memory Acquisition Procedure for Digital Investigations, Journal of Digital Investigations - March 2004 edition, 2004
CS@UML2
Outline Introduction Related work (previous work) Tribble: hardware based memory imaging Conclusions
CS@UML3
Why are the memory contents useful? Code-Red worm & SQL Slammer worm Exploit buffer-overflow vulnerability of MS
IIS web-server & SQL server 2000 Code-Red defaces web pages Generate a random list of IP addresses to
probe and infect Produce a large amount of traffic “Memory resident” (disappear after
reboot)
CS@UML4
Phases of a digital investigation
CS@UML5
Phases of a digital investigation (Cont.)1. Notification: an incident is detected and the response
team is informed2. Preservation: make an exact copy of the digital crime
scene (we are here)3. Survey: exam the crime scene for obvious pieces of
digital evidence (knowledge of incident, experience and training)
4. Search: a more thorough search for additional evidence to support or refute hypotheses
5. Reconstruction: test the existing evidence and hypotheses to form a final theory
6. Presentation: the final theory is presented to the parties requesting the investigation
CS@UML6
Memory imaging requirements1. Read from the source and write to a non-volatile
destination, called image2. Not overwrite the source (violated if using software-
based solutions)3. Follow a documented procedure4. In I/O reading errors, write a specified value to image 5. Identify the start and end of the source data if the
destination is larger than the source6. Notify the user if the destination is smaller than the
source7. Provide the correct documentation8. Halt the target system to make sure the memory
unchanged9. Calculate the hash value of data
CS@UML7
Outline Introduction Related work (previous work) Tribble: hardware based memory imaging Conclusions
CS@UML8
Previous work: software based approach Memory device
Unix/Linux: /dev/mem device ( the physical memory) and /dev/kmem device ( the virtual memory of kernel)
\\.\PhysicalMemory - device object in Microsoft Windows 2000/2003/XP
WinHex Tools -> Open Ram… -> Physical Memory
DD Windows: dd.exe if=\\.\PhysicalMemory of=c:\
dump.dd conv=noerror > c:\dump.err Linux: shipped default
CS@UML9
Disadvantages of WinHex and dd The software-based solution relies on untrusted
resources, i.e. the OS kernel Rely on the local OS that can be compromised
It always requires process and kernel memory in order to execute, therefore, will overwrite possible evidence Running a process (WinHex/dd) overwrites unallocated
memory and may cause allocated memory written to swap space or page files
An image of physical memory is hard to analyze /dev/mem may be restricted in some systems
CS@UML10
Live Demo: WinHex Search memory for passwords
CS@UML11
2 new tools for Analyzing Memory Dump Memparser reconstructs a process list and
extracts information from a process memory (Chris Betz)
Kntlist interprets structures of memory (George M. Garner Jr. and Robert Jan Mora)
CS@UML12
Previous work: Process pseudo-file system Tools
In Unix/Linux, a process pseudo-file system is mounted at /proc containing the information about the kernel and running processes
Typically a file corresponds to all physical memory and a file to each of the process’s memory
WinHex for Windows has a similar function Easy to analyze
CS@UML13
Disadvantages of Process pseudo-file system Need to identify the suspect processes Force non-resident pages to be read from swap and may
cause resident memory pages to be written to swap space Only collect the allocated memory Running a command to copy will overwrite the unallocated
memory containing the useful information
CS@UML14
Previous work: Virtual machines A virtual machine is an application that emulates a
computer environment so that an OS and other applications can execute inside it
It can be suspended and saved at any time No special processes are run and it is trusted
Disadvantages: Impact on system performance
CS@UML15
Previous work: Sparc OpenBoot1. The OpenBoot firmware in a Sun Sparc architecture
2. Use the L1-A (or STOP-A) keys to suspend the system
3. “sync” command dumps the memory and registers to swap space
4. After reboot, “savecore” command copies the memory to files
Disadvantages:
1. Overwrite the swap space
2. Require to reboot the system
3. Only available on Sparc systems
CS@UML16
Previous work: Hibernation Power management can disable the processor,
hard drive, etc. and may save the memory to disk
It is not clear that the exact contents or all memory are saved
CS@UML17
Outline Introduction Related work (previous work) Tribble: hardware based memory imaging Conclusions
CS@UML18
PCI System The host/PCI bridge,
called North Bridge The PCI-to-ISA bridge,
called South Bridge. It incorporates Interrupt Controller, IDE Controller, USB Host Controller and DMA Controller.
DMA: Direct access to the system memory without the supervision of CPU
http://www.techtutorials.info/isapci.html
Motherboard
http://www.gen-x-pc.com/mobo2.htm
CS@UML19
PCI bus acquisition card
1. PCI bus control through PCI bus arbiter
2. DMA transfer
CS@UML20
Imaging procedure The acquisition card is powered on and completes its
hardware initialization routines: Conducts the Power-On Self Test (POST) Doesn't enable its PCI controller Remains idle
When the external switch is activated, the acquisition process begins: Activates the external storage device to store memory
image Halts the target processor if possible Saves the volatile memory using DMA Calculates the hash value of the data and creates a log Disable the PCI controller and deactivate the external
storage device Returns to idle state
CS@UML21
Tribble: the proof-of-concept device
Software:
• i960 CTOOLS/MON960 package (C++ compiler, gdb960 debugger)
Tribble:
• IQ80303 processor (PCI-PCI bridge, DMA Controller)
• 2 MB Flash ROM and 512 MB SDRAM
• RS232 UART
• No external storage and switch so far
CS@UML22
Test procedures1. Compare the same page of memory using dd and Tribble2. Read a memory location twice to make sure no memory
changed3. Acquire all memory using dd and Tribble
• Most are the same• dd changes memory• Tribble ran slowly to show memory in ASCII and Hex on
a serial terminal
CS@UML23
Outline for Today’s Talk Introduction Related work (previous work) Tribble: hardware based memory imaging Conclusions
CS@UML24
Conclusions1. The proof-of-concept device works
2. Tribble needs to install card before incident
3. Tribble needs a dummy device driver since the card can be detected by PNP
4. It is still hard to analyze a dump of physical memory
CS@UML25
Reference Brian D. Carrier and Joe Grand, A Hardware-Based Memory
Acquisition Procedure for Digital Investigations, Journal of Digital Investigations - March 2004 edition, 2004, http://www.digital-evidence.org/papers/tribble-preprint.pdf
(Optional) Joseph Grand, "pdd: Memory Imaging and Forensic Analysis of Palm OS Devices," http://www.atstake.com/research/reports/, 2002
George M. Garner Jr., Forensic Acquisition Utilities, http://users.erols.com/gmgarner/forensics/ (http://users.erols.com/gmgarner/forensics/forensic%20acquisition%20utilities-bin-1.0.0.1034%20(beta1).zip), 2004
Brian Carrier, Acquisition Tools, http://www.opensourceforensics.org/tools/windows.html, 2005
X-Ways, WinHex: Computer Forensics & Data Recovery Software, Hex Editor & Disk Editor, http://www.x-ways.net/winhex/index-m.html, 2006