Memory forensics is

forensic Forensic science, also known as criminalistics, is the application of science to criminal and civil laws, mainly—on the criminal side—during criminal investigation, as governed by the legal standards of admissible evidence and crimin ...

analysis of a computer's memory dump. Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's

hard drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magne ...

. Consequently, the memory ( RAM) must be analyzed for forensic information.

History

Zeroth generation tools

Prior to 2004, memory forensics was done on an ''ad hoc'' basis, using generic data analysis tools like strings and

grep grep is a command-line utility for searching plain-text data sets for lines that match a regular expression. Its name comes from the ed command ''g/re/p'' (''globally search for a regular expression and print matching lines''), which has the sa ...

. These tools are not specifically created for memory forensics, and therefore are difficult to use. They also provide limited information. In general, their primary usage is to extract text from the memory dump. Many

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ef ...

s provide features to kernel developers and end-users to actually create a snapshot of the physical memory for either

debugging In computer programming and software development, debugging is the process of finding and resolving ''bugs'' (defects or problems that prevent correct operation) within computer programs, software, or systems. Debugging tactics can involve in ...

(

core dump In computing, a core dump, memory dump, crash dump, storage dump, system dump, or ABEND dump consists of the recorded state of the working Computer storage, memory of a computer program at a specific time, generally when the program has crash (comp ...

or Blue Screen of Death) purposes or experience enhancement (

Hibernation (computing) Hibernation (also known as suspend to disk, or Safe Sleep on Macintosh computers) in computing is powering down a computer while retaining its state. When hibernation begins, the computer saves the contents of its random access memory (RAM) to a ha ...

). In the case of Microsoft Windows, crash dumps and hibernation had been present since Microsoft

Windows NT Windows NT is a proprietary graphical operating system produced by Microsoft, the first version of which was released on July 27, 1993. It is a processor-independent, multiprocessing and multi-user operating system. The first version of Wi ...

. Microsoft crash dumps had always been analyzable by Microsoft WinDbg, and Windows hibernation files (hiberfil.sys) are nowadays convertible in Microsoft crash dumps using utilities like MoonSols Windows Memory Toolkit designed by

Matthieu Suiche Matthieu Suiche (born September 22, 1988), also known as Matt and under the username msuiche, is a French hacker and entrepreneur widely known as the founder of MoonSols, and co-founder of CloudVolumes before it was acquired by VMWare in 2014. ...

First generation tools

In February 2004, Michael Ford introduced memory forensics into security investigations with an article in SysAdmin Magazine.Ford, Michael. (2004
Linux Memory Forensics
SysAdmin Magazine. In that article, he demonstrated analysis of a memory based rootkit. The process utilized the existing Linux crash utility as well as two tools developed specifically to recover and analyze the memory forensically, memget and mempeek. In 2005, DFRWS issued a Memory Analysis Forensics Challenge.DFRWS 2005 Forensics Challenge
In response to this challenge, more tools in this generation, specifically designed to analyze memory dumps, were created. These tools had knowledge of the

's internal

data structures In computer science, a data structure is a data organization, management, and storage format that is usually chosen for efficient access to data. More precisely, a data structure is a collection of data values, the relationships among them, a ...

, and were thus capable of reconstructing the

process A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic. Things called a process include: Business and management *Business process, activities that produce a specific se ...

list and process information. Although intended as research tools, they proved that

level memory forensics is possible and practical.

Second generation tools

Subsequently, several memory forensics tools were developed intended for practical use. These include both commercial tools like Responder PRO, Memoryze, MoonSols Windows Memory Toolkit, winen, Belkasoft Live RAM Capturer, etc.;

open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...

tools like Volatility. New features have been added, such as analysis of Linux and Mac OS X memory dumps, and substantial

academic research Research is "creative and systematic work undertaken to increase the stock of knowledge". It involves the collection, organization and analysis of evidence to increase understanding of a topic, characterized by a particular attentiveness t ...

has been carried out. Unlike Microsoft Windows,

Mac OS X macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and lapt ...

interest is relatively new and had only been initiated by

in 2010 during

Black Hat Briefings Black Hat Briefings (commonly referred to as Black Hat) is a computer security conference that provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world. Black Hat brings together ...

security conference. Currently, memory forensics is a standard component of incident response.

Third generation tools

Since 2010, we started to see more utilities focusing on the visualization aspect of memory analysis such as MoonSols LiveCloudKd presented by

at Microsoft BlueHat Security Briefings that inspiredLiveKd for Virtual Machines Debugging
/ref> a new feature in Microsoft LiveKd written by

Mark Russinovich Mark Eugene Russinovich (born December 22, 1966) is a Spanish-born American software engineer and author who serves as CTO of Microsoft Azure. He was a cofounder of software producers Winternals before it was acquired by Microsoft in 2006. Ear ...

to allow virtual machines introspection by accessing the memory of guest virtual machine from the host virtual machine in order to either analyze them directly with the assistance of Microsoft WinDbg or to acquire a memory dump in a Microsoft crash dump file format.

References

{{Reflist Computer forensics