Difference between pages "Windows Memory Analysis" and "Bibliography"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Sample Memory Images: Sample images containing communication artifacts added.)
 
(Disk Disposal and Data Recovery: Added SSD article)
 
Line 1: Line 1:
Analysis of [[physical memory]] from [[Windows]] systems can yield significant information about the target operating system. This field is still very new, but holds great promise.
+
=Disk Disposal and Data Recovery=
 +
* [http://forensic.belkasoft.com/download/info/SSD%20Forensics%202012.pdf Why SSD Drives Destroy Court Evidence, and What Can Be Done About It] by Oleg Afonin and Yuri Gubanov, 2012
 +
* [http://www.deepspar.com/pdf/DeepSparDiskImagingWhitepaper3.pdf Disk Imaging: A Vital Step in Data Recovery], DeepSpar Data Recovery Systems, November 2006. An in depth look at the many issues that cause data loss / irretrievable data in the data recovery imaging process and how to overcome them.
 +
* [http://www.actionfront.com/ts_whitepaper.asp Drive-Independent Data Recovery: The Current State-of-the-Art], ActionFront Data Recovery Labs, August 2005.
 +
* [[Recovering Overwritten Data#The Gutmann Paper|Secure Deletion of Data from Magnetic and Solid-State Memory]], Peter Gutmann, Proceedings of the Sixth Usenix Security Symposium, 1996. [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html]
 +
* [http://www-03.ibm.com/financing/pdf/us/recovery/igf4-a032.pdf Hard Drive Disposal: The Overlooked Confidentiality Exposure], FInancial Perspectives, IBM White Paper, November 2003.
  
== Sample Memory Images ==
+
<bibtex>
 +
@Article{garfinkel:remembrance,
 +
  author =       "Simson Garfinkel and Abhi Shelat",
 +
  author_a =       "Simson L. Garfinkel and Abhi Shelat",
 +
  title =       "Remembrance of Data Passed",
 +
  journal =     "{IEEE} Security and Privacy Magazine",
 +
  publisher =    "IEEE",
 +
  year      =        "2002",
 +
  month    = Jan,
 +
  url="http://www.simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf"
 +
}
 +
</bibtex>
  
Getting started with memory analysis can be difficult without some known images to practice with.
+
=Evidence Gathering=
  
* The 2005 [[Digital Forensic Research Workshop]] [http://www.dfrws.org/2005/challenge/ Memory Analysis Challenge] published two Windows 2000 Service Pack 1 memory images with some [[malware]] installed.
+
* [http://utdallas.edu/~sxs018540/index/docs/byteprints_itcc05.pdf Byteprints: A Tool to Gather Digital Evidence], Sriranjani Sitaraman, Srinivasan Krishnamurthy and S. Venkatesan, Proceedings of the International Conference on Information Technology (ITCC 2005), Las Vegas, Nevada, USA, April 4 - 6, 2005
  
* The [http://dftt.sourceforge.net/ Digital Forensics Tool Testing] project has published a few [http://dftt.sourceforge.net/test13/index.html Windows memory images].
+
=Fake Information=
  
* The [[CFReDS Project]] has created some [http://www.cfreds.nist.gov/mem/memory-images.rar downloadable memory images].
+
* [https://analysis.mitre.org/proceedings/Final_Papers_Files/84_Camera_Ready_Paper.pdf Automatic Detection of Fake File Systems], Neil C. Rowe, International Conference on Intelligence Analysis Methods and Tools, McLean, Virginia, May 2005.
  
* A number of RAM images can be downloaded from http://forensic.belkasoft.com/bfs/en/download.asp. Images include ones with Gmail emails, Skype activity, Paltalk chats, browser URLs etc.
+
=Feature Extraction and Data Fusion=
 +
Computer Location Determination Through Geoparsing and Geocoding of
 +
Extracted Features
 +
http://www2.chadsteel.com:8080/Publications/drive_location2.doc
 +
<bibtex>
 +
@inproceedings{garfinkel:cda,
 +
  title="Forensic feature extraction and cross-drive analysis",
 +
  author="Simson Garfinkel",
 +
  booktitle={Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS)},
 +
  address = "Lafayette, Indiana",
 +
  journal="Digital Investigation",
 +
  year=2006,
 +
  month=Aug,
 +
  url="http://www.dfrws.org/2006/proceedings/10-Garfinkel.pdf",
 +
  location="Lafayette, Indiana"
 +
}
 +
</bibtex>
  
== See Also ==
+
=Text Mining=
* [[Memory analysis]]
+
* [[Tools:Memory Imaging]]
+
* [[Pagefile.sys]]
+
* [http://msdn.microsoft.com/en-us/library/aa366778%28VS.85%29.aspx Memory Limits for Windows Releases], Microsoft MSDN.
+
  
== History ==
+
'''Computer Forensic Text Analysis with Open Source Software,''' Christian Johansson, Masters Thesis, Blekinge Tekniska Hogskola, June 2003  http://www.fukt.bth.se/~uncle/papers/master/thesis.pdf
  
During the 1990s, it became a [[best practice]] to capture a [[Tools:Memory_Imaging|memory image]] during [[Incident Response|incident response]]. At the time, the only way to analyze such memory images was using [[strings]]. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.  
+
=Signed Evidence=
 +
<bibtex>
 +
@article{duerr-2004,
 +
  title="Information Assurance Applied to Authentication of Digital Evidence",
 +
  author="Thomas E. Duerr and Nicholas D. Beser and Gregory P. Staisiunas",
 +
  year=2004,
 +
  journal="Forensic Science Communications",
 +
  volume=6,
 +
  number=4,
 +
  url="http://www.fbi.gov/hq/lab/fsc/backissu/oct2004/research/2004_10_research01.htm"
 +
}
 +
</bibtex>
  
In the summer 2005 the [[Digital Forensic Research Workshop]] published a ''Memory Analysis Challenge''. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by [[Chris Betz]], introduced a tool called [[memparser]]. The second, by [[George Garner]] and [[Robert-Jan Mora]] produced [[KnTList]].
 
  
At the [[Blackhat (conference)|Blackhat Federal]] conference in March 2007, [[AAron Walters]] and [[Nick Petroni]] released a suite called [[volatools]]. Although it only worked on [[Windows XP]] Service Pack 2 images, it was able to produce a number of useful data. [[volatools]] was updated and re-released as [[Volatility]] in August 2007, and is now maintained and distributed by [https://www.volatilesystems.com/ Volatile Systems].
+
<bibtex>
 +
@article{OppligerR03,
 +
  author    = {Rolf Oppliger and Ruedi Rytz},
 +
  title    = {Digital Evidence: Dream and Reality},
 +
  journal  = {IEEE Security {\&} Privacy},
 +
  volume    = {1},
 +
  number    = {5},
 +
  year      = {2003},
 +
  pages    = {44-48},
 +
  url      = {http://doi.ieeecomputersociety.org/10.1109/MSECP.2003.1236234},
 +
  abstract="Digital evidence is inherently weak. New evidence-gathering technologies-digital black boxes-must be developed and deployed to support investigations of irreproducible events such as digitally signing a document."
 +
}
 +
</bibtex>
  
==Bibliography==
+
=Theory=
; 2012
+
'''A Hypothesis-Based Approach to Digital Forensic Investigations,''' Brian D. Carrier, Ph.D. Dissertation
* [http://events.ccc.de/congress/2012/Fahrplan/events/5301.en.html Defeating Windows memory forensics], by Luka Milkovic, 29C3: 29th Chaos Communication Congress
+
Purdue University, May 2006 https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2006-06.pdf
; 2011
+
* [http://prezi.com/goocmfeuiqdf/tracking-stuxnets-footprint-through-memory/ Tracking Stuxnet's Footprint Through Memory], Michael Ligh, Open Memory Forensics Workshop
+
; 2010
+
* [http://dfrws.org/2010/proceedings/2010-307.pdf Extracting Windows Command Line Details from Physical Memory], Richard Stevens and Eoghan Casey, DFRWS
+
; 2009
+
* [http://www.cc.gatech.edu/~brendan/ccs09_siggen.pdf Robust Signatures for Kernel Data Structures] B. Dolan-Gavitt, et al., ACM Conference on Computer and Communications Security
+
* [http://www.shakacon.org/talks/NFI-Shakacon-win32dd0.3.pdf Win32dd : Challenges of Windows physical memory acquisition and exploitation], Matthieu Suiche, Netherlands Forensics Institute, Shakacon - June 2009
+
; 2008
+
* [http://citp.princeton.edu/memory/ Lest We Remember: Cold Boot Attacks on Encryption Keys] ([http://citp.princeton.edu.nyud.net/pub/coldboot.pdf PDF]), Usenix Security 2008 (Best student paper)
+
* [http://blogs.technet.com/markrussinovich/archive/2008/07/21/3092070.aspx Pushing the Limits of Windows: Physical Memory], Mark Russinovich, Technet Blogs, July 21, 2008
+
* [http://www.dfrws.org/2008/proceedings/p58-schuster.pdf The impact of Microsoft Windows pool allocation strategies on memory forensics], Andreas Schuster, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p58-schuster_pres.pdf [slides]]
+
* [http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Burdach/bh-fed-06-burdach-up.pdf Finding Digital Evidence In Physical Memory], Mariusz Burdach, Black Hat Federal, 2008
+
* [http://www.dfrws.org/2008/proceedings/p52-vanBaar.pdf Forensic Memory Analysis: Files mapped in memory], Ruud van Baar, DFRWS 2008, [http://www.dfrws.org/2008/proceedings/p52-vanBaar_pres.pdf [slides]]
+
* [http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
+
  
; 2007
+
=Other Papers=
* [http://www.first.org/conference/2007/papers/rutkowska-joanna-slides.pdf Beyond The CPU: Defeating Hardware Based RAM Acquisition (part I: AMD case)], Joanna Rutkowska COSEINC Advanced Malware Labs
+
* [http://www.dfrws.org/2007/proceedings/p114-arasteh.pdf Forensic Memory Analysis: From Stack and Code to Execution History], Ali Reza Arasteh and Mourad Debbabi, DFRWS 2007
+
* [http://www.dfrws.org/2007/proceedings/p126-schatz.pdf BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software], Bradley Schatz, DFRWS 2007
+
* [http://www.dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf The VAD Tree: A Process-Eye View of Physical Memory], Brendan F Dolan-Gavitt, DFRWS 2007
+
* [http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf FireWire Memory Dump of a Windows XP Computer: A Forensic Approach], Antonio Martin, 2007
+
  
; 2006
+
* [http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782 A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?], Peter P. Swire, Moritz College of Law of the Ohio State University, Journal on Telecommunications and High Technology Law, Vol. 2, 2004.
* [http://www.dfrws.org/2006/proceedings/2-Schuster.pdf Searching for Processes and Threads in Microsoft Windows Memory Dumps], Andreas Schuster, Deutsche Telekom AG, Germany, DFRWS 2006
+
* Using every part of the buffalo in Windows memory an, Jesse D. Kornblum, DFRWS 2006
+
 
+
== External Links ==
+
; Jesse Kornblum Memory Analysis discussion on Cyberspeak
+
: http://cyberspeak.libsyn.com/index.php?post_id=98104
+
; Memory Analysis Bibliography
+
: http://www.4tphi.net/fatkit/#links
+
  
 
[[Category:Bibliographies]]
 
[[Category:Bibliographies]]
[[Category:Memory Analysis]]
 

Revision as of 06:28, 26 June 2013

Disk Disposal and Data Recovery

Simson Garfinkel, Abhi Shelat - Remembrance of Data Passed
{IEEE} Security and Privacy Magazine , January 2002
http://www.simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf
Bibtex
Author : Simson Garfinkel, Abhi Shelat
Title : Remembrance of Data Passed
In : {IEEE} Security and Privacy Magazine -
Address :
Date : January 2002

Evidence Gathering

  • Byteprints: A Tool to Gather Digital Evidence, Sriranjani Sitaraman, Srinivasan Krishnamurthy and S. Venkatesan, Proceedings of the International Conference on Information Technology (ITCC 2005), Las Vegas, Nevada, USA, April 4 - 6, 2005

Fake Information

Feature Extraction and Data Fusion

Computer Location Determination Through Geoparsing and Geocoding of Extracted Features http://www2.chadsteel.com:8080/Publications/drive_location2.doc

Simson Garfinkel - Forensic feature extraction and cross-drive analysis
Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS) , Lafayette, Indiana, August 2006
http://www.dfrws.org/2006/proceedings/10-Garfinkel.pdf
Bibtex
Author : Simson Garfinkel
Title : Forensic feature extraction and cross-drive analysis
In : Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS) -
Address : Lafayette, Indiana
Date : August 2006

Text Mining

Computer Forensic Text Analysis with Open Source Software, Christian Johansson, Masters Thesis, Blekinge Tekniska Hogskola, June 2003 http://www.fukt.bth.se/~uncle/papers/master/thesis.pdf

Signed Evidence

Thomas E. Duerr, Nicholas D. Beser, Gregory P. Staisiunas - Information Assurance Applied to Authentication of Digital Evidence
Forensic Science Communications 6(4),2004
http://www.fbi.gov/hq/lab/fsc/backissu/oct2004/research/2004_10_research01.htm
Bibtex
Author : Thomas E. Duerr, Nicholas D. Beser, Gregory P. Staisiunas
Title : Information Assurance Applied to Authentication of Digital Evidence
In : Forensic Science Communications -
Address :
Date : 2004


Rolf Oppliger, Ruedi Rytz - Digital Evidence: Dream and Reality
IEEE Security {\&} Privacy 1(5):44-48,2003
http://doi.ieeecomputersociety.org/10.1109/MSECP.2003.1236234
Bibtex
Author : Rolf Oppliger, Ruedi Rytz
Title : Digital Evidence: Dream and Reality
In : IEEE Security {\&} Privacy -
Address :
Date : 2003

Theory

A Hypothesis-Based Approach to Digital Forensic Investigations, Brian D. Carrier, Ph.D. Dissertation Purdue University, May 2006 https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2006-06.pdf

Other Papers