Authors:
Michael Kiperberg
1
;
Roee Leon
2
;
Amit Resh
3
;
Asaf Algawi
2
and
Nezer Zaidenberg
4
Affiliations:
1
Faculty of Sciences, Holon Institute of Technology and Israel
;
2
Department of Mathematical IT, University of Jyväskylä and Finland
;
3
School of Computer Engineering, Shenkar College of Engineering, Design and Art and Israel
;
4
School of Computer Sciences, The College of Management, Academic Studies and Israel
Keyword(s):
Live Forensics, Memory Forensics, Memory Acquisition, Virtualization, Reliability, Atomicity, Integrity of a Memory Snapshot, Forensic Soundness.
Related
Ontology
Subjects/Areas/Topics:
Internet Technology
;
Intrusion Detection and Response
;
Web Information Systems and Technologies
Abstract:
Reliable memory acquisition is essential to forensic analysis of a cyber-crime. Various methods of memory acquisition have been proposed, ranging from tools based on a dedicated hardware to software only solutions. Recently, a hypervisor-based method for memory acquisition was proposed (Qi et al., 2017; Martignoni et al., 2010). This method obtains a reliable (atomic) memory image of a running system. The method achieves this by making all memory pages non-writable until they are copied to the memory image, thus preventing uncontrolled modification of these pages. Unfortunately, the proposed method has two deficiencies: (1) the method does not support multiprocessing and (2) the method does not support modern operating systems featuring address space layout randomization (ASLR). We describe a hypervisor-based memory acquisition method that solves the two aforementioned deficiencies. We analyze the memory usage and performance of the proposed method.