Difference between pages "Solid State Drive (SSD) Forensics" and "Windows Memory Analysis"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Bibliography: added recent article on SSD forensics.)
 
(Sample Memory Images: Sample images containing communication artifacts added.)
 
Line 1: Line 1:
Solid State Drives pose a variety of interesting challenges for computer forensics in comparison with traditional rotating magnetic platter hard drives.  
+
Analysis of [[physical memory]] from [[Windows]] systems can yield significant information about the target operating system. This field is still very new, but holds great promise.
  
Most SSD devices are based on flash memory; some have battery backed SRAM or DRAM with a flash backing store.
+
== Sample Memory Images ==
  
Flash has a number of key properties that complicate its use in computer storage systems and subsequent forensic analysis:
+
Getting started with memory analysis can be difficult without some known images to practice with.  
# Internally, flash memory is not divided into the traditional 512 byte blocks, but instead is in pages of 2KiB, 4KiB, or larger, although it is still presented to the host computer in blocks
+
# Whilst hard drives can be written in a single pass, flash memory pages must be erased (in whole) before they can be rewritten.
+
# Rewriting a block at the operating system level does not necessarily rewrite the same page in the flash memory due to the controller remapping data to spread wear or avoid failing pages
+
# Each page can be erased and rewritten a limited number of times – typically 1000 to 10,000. (Hard drive sectors, in contrast, can be rewritten millions of times or more.)
+
# Flash data is often encrypted on the drive, and can be "erased" by telling the controller to forget the old key and generate a new one, as well as marking all blocks as unused
+
  
The controller in a flash SSD is significantly more complex in the number of tasks it has to perform in comparison to a magnetic rotating drive, with the following features:
+
* The 2005 [[Digital Forensic Research Workshop]] [http://www.dfrws.org/2005/challenge/ Memory Analysis Challenge] published two Windows 2000 Service Pack 1 memory images with some [[malware]] installed.
# ''wear leveling'' – that is, spreading the writes to flash out among different sectors. Wear leveling is typically done with a ''flash translation layer'' that maps ''logical sectors'' (or LBAs) to ''physical pages''. Most FTLs are contained within the SSD device and are not accessible to end users.
+
# ''read/modify/relocate+write'' - if the controller allows rewriting of a partial flash page, it must read the entire page, modify the sector that is being written, and write the new flash page in a new/fresh location which has been previously erased. the old pre-modification data's page is then queued for erase.
+
  
 +
* The [http://dftt.sourceforge.net/ Digital Forensics Tool Testing] project has published a few [http://dftt.sourceforge.net/test13/index.html Windows memory images].
  
 +
* The [[CFReDS Project]] has created some [http://www.cfreds.nist.gov/mem/memory-images.rar downloadable memory images].
 +
 +
* A number of RAM images can be downloaded from http://forensic.belkasoft.com/bfs/en/download.asp. Images include ones with Gmail emails, Skype activity, Paltalk chats, browser URLs etc.
 +
 +
== See Also ==
 +
* [[Memory analysis]]
 +
* [[Tools:Memory Imaging]]
 +
* [[Pagefile.sys]]
 +
* [http://msdn.microsoft.com/en-us/library/aa366778%28VS.85%29.aspx Memory Limits for Windows Releases], Microsoft MSDN.
 +
 +
== History ==
 +
 +
During the 1990s, it became a [[best practice]] to capture a [[Tools:Memory_Imaging|memory image]] during [[Incident Response|incident response]]. At the time, the only way to analyze such memory images was using [[strings]]. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.
 +
 +
In the summer 2005 the [[Digital Forensic Research Workshop]] published a ''Memory Analysis Challenge''. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by [[Chris Betz]], introduced a tool called [[memparser]]. The second, by [[George Garner]] and [[Robert-Jan Mora]] produced [[KnTList]].
 +
 +
At the [[Blackhat (conference)|Blackhat Federal]] conference in March 2007, [[AAron Walters]] and [[Nick Petroni]] released a suite called [[volatools]]. Although it only worked on [[Windows XP]] Service Pack 2 images, it was able to produce a number of useful data. [[volatools]] was updated and re-released as [[Volatility]] in August 2007, and is now maintained and distributed by [https://www.volatilesystems.com/ Volatile Systems].
  
 
==Bibliography==
 
==Bibliography==
<bibtex>
+
; 2012
@inproceedings{wei2011,
+
* [http://events.ccc.de/congress/2012/Fahrplan/events/5301.en.html Defeating Windows memory forensics], by Luka Milkovic, 29C3: 29th Chaos Communication Congress
  author = {Yuri Gubanov, Oleg Afonin},
+
; 2011
  title = {Why SSD Drives Destroy Court Evidence, and What Can Be Done About It},
+
* [http://prezi.com/goocmfeuiqdf/tracking-stuxnets-footprint-through-memory/ Tracking Stuxnet's Footprint Through Memory], Michael Ligh, Open Memory Forensics Workshop
  booktitle={Article},
+
; 2010
  year = 2012,
+
* [http://dfrws.org/2010/proceedings/2010-307.pdf Extracting Windows Command Line Details from Physical Memory], Richard Stevens and Eoghan Casey, DFRWS
  keywords = {ssd forensics},
+
; 2009
  added-at = {2012-09-01T09:00:00.000+0100},
+
* [http://www.cc.gatech.edu/~brendan/ccs09_siggen.pdf Robust Signatures for Kernel Data Structures] B. Dolan-Gavitt, et al., ACM Conference on Computer and Communications Security
  url={http://forensic.belkasoft.com/en/why-ssd-destroy-court-evidence}
+
* [http://www.shakacon.org/talks/NFI-Shakacon-win32dd0.3.pdf Win32dd : Challenges of Windows physical memory acquisition and exploitation], Matthieu Suiche, Netherlands Forensics Institute, Shakacon - June 2009
}
+
; 2008
</bibtex>
+
* [http://citp.princeton.edu/memory/ Lest We Remember: Cold Boot Attacks on Encryption Keys] ([http://citp.princeton.edu.nyud.net/pub/coldboot.pdf PDF]), Usenix Security 2008 (Best student paper)
 +
* [http://blogs.technet.com/markrussinovich/archive/2008/07/21/3092070.aspx Pushing the Limits of Windows: Physical Memory], Mark Russinovich, Technet Blogs, July 21, 2008
 +
* [http://www.dfrws.org/2008/proceedings/p58-schuster.pdf The impact of Microsoft Windows pool allocation strategies on memory forensics], Andreas Schuster, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p58-schuster_pres.pdf [slides]]
 +
* [http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Burdach/bh-fed-06-burdach-up.pdf Finding Digital Evidence In Physical Memory], Mariusz Burdach, Black Hat Federal, 2008
 +
* [http://www.dfrws.org/2008/proceedings/p52-vanBaar.pdf Forensic Memory Analysis: Files mapped in memory], Ruud van Baar, DFRWS 2008, [http://www.dfrws.org/2008/proceedings/p52-vanBaar_pres.pdf [slides]]
 +
* [http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
 +
 
 +
; 2007
 +
* [http://www.first.org/conference/2007/papers/rutkowska-joanna-slides.pdf Beyond The CPU: Defeating Hardware Based RAM Acquisition (part I: AMD case)], Joanna Rutkowska COSEINC Advanced Malware Labs
 +
* [http://www.dfrws.org/2007/proceedings/p114-arasteh.pdf Forensic Memory Analysis: From Stack and Code to Execution History], Ali Reza Arasteh and Mourad Debbabi, DFRWS 2007
 +
* [http://www.dfrws.org/2007/proceedings/p126-schatz.pdf BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software], Bradley Schatz, DFRWS 2007
 +
* [http://www.dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf The VAD Tree: A Process-Eye View of Physical Memory], Brendan F Dolan-Gavitt, DFRWS 2007
 +
* [http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf FireWire Memory Dump of a Windows XP Computer: A Forensic Approach], Antonio Martin, 2007
 +
 
 +
; 2006
 +
* [http://www.dfrws.org/2006/proceedings/2-Schuster.pdf Searching for Processes and Threads in Microsoft Windows Memory Dumps], Andreas Schuster, Deutsche Telekom AG, Germany, DFRWS 2006
 +
* Using every part of the buffalo in Windows memory an, Jesse D. Kornblum, DFRWS 2006
  
<bibtex>
+
== External Links ==
@inproceedings{wei2011,
+
; Jesse Kornblum Memory Analysis discussion on Cyberspeak
  author = {Michael Wei and Laura M. Grupp and Frederick M. Spada and Steven Swanson},
+
: http://cyberspeak.libsyn.com/index.php?post_id=98104
  title = {Reliably Erasing Data from Flash-Based Solid State Drives},
+
; Memory Analysis Bibliography
  booktitle={FAST 2011},
+
: http://www.4tphi.net/fatkit/#links
  year = 2011,
+
  keywords = {erasing flash security ssd},
+
  added-at = {2011-02-22T09:22:03.000+0100},
+
  url={http://cseweb.ucsd.edu/users/m3wei/assets/pdf/FMS-2010-Secure-Erase.pdf},
+
  biburl = {http://www.bibsonomy.org/bibtex/27c408ad559fc19f829717f485707a909/schmidt2}
+
}
+
</bibtex>
+
<bibtex>
+
@article{bell2011,
+
author="Graeme B. Bell and Richard Boddington",
+
title="Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?",
+
journal="Journal of Digital Forensics, Security and Law",
+
volume=5,
+
issue=3,
+
year=2011,
+
url={http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf}
+
}
+
</bibtex>
+
<bibtex>
+
@inproceedings{Billard:2010:MSU:1774088.1774426,
+
author = {Billard, David and Hauri, Rolf},
+
title = {Making sense of unstructured flash-memory dumps},
+
booktitle = {Proceedings of the 2010 ACM Symposium on Applied Computing},
+
series = {SAC '10},
+
year = {2010},
+
isbn = {978-1-60558-639-7},
+
location = {Sierre, Switzerland},
+
pages = {1579--1583},
+
numpages = {5},
+
url = {http://doi.acm.org/10.1145/1774088.1774426},
+
doi = {http://doi.acm.org/10.1145/1774088.1774426},
+
acmid = {1774426},
+
publisher = {ACM},
+
address = {New York, NY, USA},
+
keywords = {cell phone, computer forensics, file carving, flash-memory dumps, forensics},
+
}
+
</bibtex>
+
<bibtex>
+
@mastersthesis{regan:2009,
+
  title="The Forensic Potential of Flash Memory",
+
  author="James E. Regan",
+
  school="Naval Postgraduate School",
+
  address="Monterey, CA",
+
  date=Sep,
+
  year=2009,
+
  pages=86,
+
  url="http://handle.dtic.mil/100.2/ADA509258"
+
}
+
</bibtex>
+
<bibtex>
+
@inproceedings{Phillips:2008:RDU:1363217.1363243,
+
author = {Phillips, B. J. and Schmidt, C. D. and Kelly, D. R.},
+
title = {Recovering data from USB flash memory sticks that have been damaged or electronically erased},
+
booktitle = {Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop},
+
series = {e-Forensics '08},
+
year = {2008},
+
isbn = {978-963-9799-19-6},
+
location = {Adelaide, Australia},
+
pages = {19:1--19:6},
+
articleno = {19},
+
numpages = {6},
+
url = {http://portal.acm.org/citation.cfm?id=1363217.1363243},
+
acmid = {1363243},
+
publisher = {ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering)},
+
address = {ICST, Brussels, Belgium, Belgium},
+
keywords = {data recovery, flash memory, semiconductor data remanence},
+
}
+
</bibtex>
+
  
==Presentations==
+
[[Category:Bibliographies]]
* [http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html Milan Broz's blog - TRIM & dm-crypt ... problems?]
+
[[Category:Memory Analysis]]
* [http://www.snia.org/events/storage-developer2009/presentations/thursday/NealChristiansen_ATA_TrimDeleteNotification_Windows7.pdf ATA Trim / Delete Notification Support in Windows 7], Neal Christiansen, Storage Developer 2009
+
* [http://www.slideshare.net/digitalassembly/challenges-of-ssd-forensic-analysis Challenges of SSD Forensic Analysis], Digital Assembly,
+
* [http://www.youtube.com/watch?v=WcO7xn0wJ2I Solid State Drives: Ruining Forensics], by Scott Moulton, DEFCON 16 (2008)
+
* Scott Moulton, Shmoocon 20008,  SSD drives vs. Hard Drives.
+
** [http://www.youtube.com/watch?v=l4hbdZFWGog SSD Flash Hard Drives - Shmoocon 2008 - Part 1]
+
** [http://www.youtube.com/watch?v=mglEnIPnzjo SSD Flash Hard Drives - Shmoocon 2008 - Part 2]
+
** [http://www.youtube.com/watch?v=3psy_d-pyNg SSD Flash Hard Drives - Shmoocon 2008 - Part 3]
+
** [http://www.youtube.com/watch?v=pKeZvhDd5c4 SSD Flash Hard Drives - Shmoocon 2008 - Part 4]
+
** [http://www.youtube.com/watch?v=9XMBdDypSO4 SSD Flash Hard Drives - Shmoocon 2008 - Part 5]
+
** [http://www.youtube.com/watch?v=LY36SWbfQg0 SSD Flash Hard Drives - Shmoocon 2008 - Part 6]
+
* [http://risky.biz/RB185 Risky Business #185], Peter Gutmann talks SSD forensics, March 4, 2011 (Radio Show)
+

Revision as of 10:19, 28 March 2013

Analysis of physical memory from Windows systems can yield significant information about the target operating system. This field is still very new, but holds great promise.

Sample Memory Images

Getting started with memory analysis can be difficult without some known images to practice with.

See Also

History

During the 1990s, it became a best practice to capture a memory image during incident response. At the time, the only way to analyze such memory images was using strings. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.

In the summer 2005 the Digital Forensic Research Workshop published a Memory Analysis Challenge. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by Chris Betz, introduced a tool called memparser. The second, by George Garner and Robert-Jan Mora produced KnTList.

At the Blackhat Federal conference in March 2007, AAron Walters and Nick Petroni released a suite called volatools. Although it only worked on Windows XP Service Pack 2 images, it was able to produce a number of useful data. volatools was updated and re-released as Volatility in August 2007, and is now maintained and distributed by Volatile Systems.

Bibliography

2012
2011
2010
2009
2008
2007
2006

External Links

Jesse Kornblum Memory Analysis discussion on Cyberspeak
http://cyberspeak.libsyn.com/index.php?post_id=98104
Memory Analysis Bibliography
http://www.4tphi.net/fatkit/#links