 | This article includes a list of references, related reading, or external links, but its sources remain unclear because it lacks inline citations .(May 2023) |
Memory forensics is forensic analysis of a computer's memory dump. Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive. Consequently, the memory (RAM) must be analyzed for forensic information.
Prior to 2004, memory forensics was done on an ad hoc basis, using generic data analysis tools like strings and grep. These tools are not specifically created for memory forensics, and therefore are difficult to use. They also provide limited information. In general, their primary usage is to extract text from the memory dump. [1]
Many operating systems provide features to kernel developers and end-users to actually create a snapshot of the physical memory for either debugging (core dump or Blue Screen of Death) purposes or experience enhancement (Hibernation (computing)). In the case of Microsoft Windows, crash dumps and hibernation had been present since Microsoft Windows NT. Microsoft crash dumps had always been analyzable by Microsoft WinDbg, and Windows hibernation files (hiberfil.sys) are nowadays convertible in Microsoft crash dumps using utilities like MoonSols Windows Memory Toolkit designed by Matthieu Suiche.[ citation needed ]
In February 2004, Michael Ford introduced memory forensics into security investigations with an article in SysAdmin Magazine. [2] In that article, he demonstrated analysis of a memory based rootkit. The process utilized the existing Linux crash utility as well as two tools developed specifically to recover and analyze the memory forensically, memget and mempeek.[ citation needed ]
In 2005, DFRWS issued a Memory Analysis Forensics Challenge. [3] In response to this challenge, more tools in this generation, specifically designed to analyze memory dumps, were created. These tools had knowledge of the operating system's internal data structures, and were thus capable of reconstructing the operating system's process list and process information. [3]
Although intended as research tools, they proved that operating system level memory forensics is possible and practical.[ citation needed ]
Subsequently, several memory forensics tools were developed intended for practical use. These include both commercial tools like Responder PRO, Memoryze, MoonSols Windows Memory Toolkit, winen, Belkasoft Live RAM Capturer, etc.; open source tools like Volatility. New features have been added, such as analysis of Linux and Mac OS X memory dumps, and substantial academic research has been carried out. [4] [5]
Unlike Microsoft Windows, Mac OS X interest is relatively new and had only been initiated by Matthieu Suiche [6] in 2010 during Black Hat Briefings security conference.[ citation needed ]
Currently, memory forensics is a standard component of incident response. [7]
Since 2010, we started to see more utilities focusing on the visualization aspect of memory analysis such as MoonSols LiveCloudKd presented [8] by Matthieu Suiche at Microsoft BlueHat Security Briefings that inspired [9] a new feature in Microsoft LiveKd written by Mark Russinovich [10] to allow virtual machines introspection by accessing the memory of guest virtual machine from the host virtual machine in order to either analyze them directly with the assistance of Microsoft WinDbg or to acquire a memory dump in a Microsoft crash dump file format.[ citation needed ]
In computing, a core dump, memory dump, crash dump, storage dump, system dump, or ABEND dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise terminated abnormally. In practice, other key pieces of program state are usually dumped at the same time, including the processor registers, which may include the program counter and stack pointer, memory management information, and other processor and operating system flags and information. A snapshot dump is a memory dump requested by the computer operator or by the running program, after which the program is able to continue. Core dumps are often used to assist in diagnosing and debugging errors in computer programs.
SoftICE is a kernel mode debugger for DOS and Windows up to Windows XP. It is designed to run underneath Windows, so that the operating system is unaware of its presence. Unlike an application debugger, SoftICE is capable of suspending all operations in Windows when instructed. Because of its low-level capabilities, SoftICE is also popular as a software cracking tool.
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.
In computing, a page fault is an exception that the memory management unit (MMU) raises when a process accesses a memory page without proper preparations. Accessing the page requires a mapping to be added to the process's virtual address space. Besides, the actual page contents may need to be loaded from a backing store, such as a disk. The MMU detects the page fault, but the operating system's kernel handles the exception by making the required page accessible in the physical memory or denying an illegal memory access.
WinDbg is a multipurpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft. Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode.
A crash reporter is usually a system software whose function is to identify reporting crash details and to alert when there are crashes, in production or on development / testing environments. Crash reports often include data such as stack traces, type of crash, trends and version of software. These reports help software developers- Web, SAAS, mobile apps and more, to diagnose and fix the underlying problem causing the crashes. Crash reports may contain sensitive information such as passwords, email addresses, and contact information, and so have become objects of interest for researchers in the field of computer security.
Hibernation in computing is powering down a computer while retaining its state. When hibernation begins, the computer saves the contents of its random access memory (RAM) to a hard disk or other non-volatile storage. When the computer is turned on the RAM is restored and the computer is exactly as it was before entering hibernation. Hibernation was first implemented in 1992 and patented by Compaq Computer Corporation in Houston, Texas. As of 2020, Microsoft's Windows 10 employs a type of hibernation by default when shutting down.
Windows Error Reporting (WER) is a crash reporting technology introduced by Microsoft with Windows XP and included in later Windows versions and Windows Mobile 5.0 and 6.0. Not to be confused with the Dr. Watson debugging tool which left the memory dump on the user's local machine, Windows Error Reporting collects and offers to send post-error debug information using the Internet to Microsoft when an application crashes or stops responding on a user's desktop. No data is sent without the user's consent. When a crash dump reaches the Microsoft server, it is analyzed, and information about a solution is sent back to the user if available. Solutions are served using Windows Error Reporting Responses. Windows Error Reporting runs as a Windows service. Kinshuman is the original architect of WER. WER was also included in the ACM hall of fame for its impact on the computing industry.
A debug symbol is a special kind of symbol that attaches additional information to the symbol table of an object file, such as a shared library or an executable. This information allows a symbolic debugger to gain access to information from the source code of the binary, such as the names of identifiers, including variables and routines.
A kernel debugger is a debugger present in some operating system kernels to ease debugging and kernel development by the kernel developers. A kernel debugger might be a stub implementing low-level operations, with a full-blown debugger such as GNU Debugger (gdb), running on another machine, sending commands to the stub over a serial line or a network connection, or it might provide a command line that can be used directly on the machine being debugged.
Process Monitor is a tool from Windows Sysinternals, part of the Microsoft TechNet website. The tool monitors and displays in real-time all file system activity on a Microsoft Windows or Unix-like operating system. It combines two older tools, FileMon and RegMon and is used in system administration, computer forensics, and application debugging.
The Blue Screen of Death (BSoD), officially known as a Stop error, Blue screen error, fatal error, bugcheck, Stop error screen, Stop message, or Blue Screen, is a critical error screen displayed by the Microsoft Windows or ReactOS operating systems in the event of a fatal system error. It indicates a system crash, in which the operating system has reached a critical condition where it can no longer operate safely. Possible issues include hardware failure, an issue with or without a device driver, or unexpected termination of a crucial process or thread.
The Java Development Kit (JDK) is a distribution of Java Technology by Oracle Corporation. It implements the Java Language Specification (JLS) and the Java Virtual Machine Specification (JVMS) and provides the Standard Edition (SE) of the Java Application Programming Interface (API). It is derivative of the community driven OpenJDK which Oracle stewards. It provides software for working with Java applications. Examples of included software are the virtual machine, a compiler, performance monitoring tools, a debugger, and other utilities that Oracle considers useful for a Java programmer.
Volatility is an open-source memory forensics framework for incident response and malware analysis. It is written in Python and supports Microsoft Windows, Mac OS X, and Linux.
Docker is a set of platform as a service (PaaS) products that use OS-level virtualization to deliver software in packages called containers. The service has both free and premium tiers. The software that hosts the containers is called Docker Engine. It was first started in 2013 and is developed by Docker, Inc.
Matthieu Suiche, also known as Matt and under the username msuiche, is a French hacker and entrepreneur widely known as the founder of MoonSols, and co-founder of CloudVolumes before it was acquired by VMWare in 2014. In March 2014, Suiche was highlighted as one of the 100 key French developers in a report for French minister Fleur Pellerin.
kdump is a feature of the Linux kernel that creates crash dumps in the event of a kernel crash. When triggered, kdump exports a memory image that can be analyzed for the purposes of debugging and determining the cause of a crash. The dumped image of main memory, exported as an Executable and Linkable Format (ELF) object, can be accessed either directly through /proc/vmcore during the handling of a kernel crash, or it can be automatically saved to a locally accessible file system, to a raw device, or to a remote system accessible over network.
In computing, virtual machine introspection (VMI) is a technique "for monitoring the runtime state of a system-level virtual machine (VM)", which is helpful for debugging or forensic analysis.
ProcDump is a command-line application used for monitoring an application for CPU spikes and creating crash dumps during a spike. The crash dumps can then be used by an administrator or software developer to determine the cause of the spike. ProcDump supports monitoring of hung windows and unhandled exceptions. It can also create dumps based on the values of system performance counters.