CaseRichard Memory Forensics Path
CaseRichard Memory Forensics Path
Digital Investigation
journal homepage: www.elsevier.com/locate/diin
Research Summary
a r t i c l e i n f o a b s t r a c t
Article history: Traditionally, digital forensics focused on artifacts located on the storage devices of computer systems,
Available online xxx mobile phones, digital cameras, and other electronic devices. In the past decade, however, researchers
have created a number of powerful memory forensics tools that expand the scope of digital forensics to
Keywords: include the examination of volatile memory as well. While memory forensic techniques have evolved
Memory forensics from simple string searches to deep, structured analysis of application and kernel data structures for a
Computer forensics
number of platforms and operating systems, much research remains to be done. This paper surveys the
Memory analysis
state-of-the-art in memory forensics, provide critical analysis of current-generation techniques, describe
Incident response
Malware
important changes in operating systems design that impact memory forensics, and sketches important
areas for further research.
© 2017 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.diin.2016.12.004
1742-2876/© 2017 Elsevier Ltd. All rights reserved.
Please cite this article in press as: Case, A., Richard, III, G.G., Memory forensics: The path forward, Digital Investigation (2016), http://dx.doi.org/
10.1016/j.diin.2016.12.004
2 A. Case, G.G. Richard III / Digital Investigation xxx (2016) 1e11
Phalanx2 rootkit (Case, 2012) leveraged /dev/mem in this manner as server acquired running at 75% capacity with 16GBþ of RAM is a
do many other malware variants across operating system versions. very different model than the one used to conceive current gen-
Beyond the security issues, these built-in facilities were eration memory acquisition algorithms.
becoming of limited use to investigators as systems under in-
vestigations were rapidly moving towards: Issues and limitations
With the exception of attempting to acquire memory as quickly
Having multiple CPU cores and/or physical processors installed as possible, acquisition tools currently do not make any effort to
Increasing amounts of RAM detect or work around smearing. Analysts routinely try to work
Operating system adoption to the demands of scale around smearing by leveraging hypervisor capabilities when access
to the hypervisor host is possible. As discussed in Ligh et al. (2014),
Even if the kernel devices such as /dev/mem were available, the virtualization technologies such as VMware, HyperV, and Virtual-
implementations are not safe for memory acquisition on multicore/ Box provide the ability to acquire guest memory VM from the host.
multi-CPU systems, as races to map, remap, and unmap pages can This acquisition can be performed “instantly” by leveraging
result in kernel instability. Furthermore, since the acquisition tools hypervisor-specific features, such as snapshots and suspended
reading from these interfaces are executing in userland, in-kernel states, to freeze the guest in-place. This prevents smearing from
synchronization primitives can't be used to solve the problem. occurring as the guest can no longer make modifications to mem-
Thus kernel modules must typically be loaded to allow memory to ory, and the analyst can simply copy the saved memory state from
be acquired and on multicore/multi-CPU systems, the kernel the hypervisor's file system. This approach is not universally usable,
modules must be carefully designed to pay special attention to the however, as obviously not all systems are virtualized. Furthermore,
operating system-specific rules governing how and when kernel even in virtualized environments the analyst does not always have
mode code can be interrupted (generally known as kernel pre- access to the physical host, such as in Amazon's AWS or Microsoft's
emption) (Stüttgen and Cohen, 2014). Azure. There may also be issues with temporality suspending a
The continuously increasing amount of RAM installed in sys- running virtual machine as it may affect production performance
tems leads to page smearing (Carvey, 2005), which is an inconsis- and stability.
tency between what the state of memory as described by the page
tables is versus what is actually in those pages of memory. This Future directions
issue occurs due to the time lapse between when the page tables The issues created by page smearing necessitate that memory
are acquired versus when data is acquired in other portions of RAM. acquisition tools take smearing into account during the acquisition
Smearing will be discussed in full detail in the following sections. phase. To this end, we propose several methods that may meet this
need.
Current issues e page smearing
Leveraging virtual machine hardware extensions. Our first proposed
The following sections describe current approaches to acquisi- method is a modern implementation of the BodySnatcher tool
tion across all major operating systems, along with the limitations (Schatz, 2007). BodySnatcher attempted to ‘freeze’ the running
of these approaches. Each section is structured to describe the state operating system and load a small, second operating system at
of the art, its limitations, and future directions to improve acqui- runtime. This was performed without the support of hardware-
sition techniques and procedures. We start with page smearing as it based virtual machine support as that technology was not yet in
is one of the most pressing issues. use.
We envision that a modern approach to BodySnatcher could
Current state instead leverage hardware based virtualization to cleanly:
As mentioned above, page smearing is an inconsistency that
occurs in memory captures when the acquired page tables refer- Insert a new operating system “under” the existing one
ence physical pages whose contents changed during the acquisition Freeze the existing operating system
process. In our experience, this problem is commonly encountered Write memory of the frozen operating system to removable
on systems that have 8 gigabytes or more of RAM installed as well media or the network
as systems that are under heavy load. Unfortunately, systems with
less than 8 gigabytes of RAM are increasingly uncommon and Blue Pill (Rutkowska and Tereshkin, 2008) is a famous example
servers frequently have from 16 gigabytes of RAM to hundreds of of leveraging this technology to implement rootkit functionality,
gigabytes. The increasing amount of RAM installed in computer and the same approach could be taken for defensive acquisition
systems means that nearly all captures will contain at least some purposes. Besides acquisition from native hardware, this approach
amount of smear. Depending on where the smear occurs, this can would also work for virtual machine guests where the analyst did
result in undesirable results of varying degrees of severity, from not have host access, as hardware virtualization extensions allow
memory pages belonging to one process being assigned to another for nesting of virtual machines. The downside is similar to those of
in the view of the memory analysis tool, to corrupted kernel data leveraging traditional hypervisors in that network connections and
structures. Unfortunately, memory analysis tools and frameworks other activity would be frozen for the duration of the acquisition.
have no method to automatically detect smearing as there is only This is usually not an issue for end-user systems, but is often un-
one source of data for address translation - the smeared page tables acceptable for production servers.
themselves.
The move to the cloud and the adoption of local cloud Smear-aware acquisition tools. Our second proposed method is for
computing models has led to an increase in system utilization acquisition tools to become aware of changes to the page tables as
across servers. As recommended by both the Amazon AWS acquisition is performed. Unfortunately, there is no single place in
(Amazon ec2 container serv, 2016) and Google Cloud (Scaling based the kernel that could be monitored for such changes, as applica-
on cpu or l, 2016) documentation, running systems at 75% load tions and kernel drivers continuously allocate and deallocate
achieves the greatest balance of CPU utilization without over- memory as well as making changes to memory as the acquisition
utilization as well as cost savings. An industry-wide shift to every tool runs.
Please cite this article in press as: Case, A., Richard, III, G.G., Memory forensics: The path forward, Digital Investigation (2016), http://dx.doi.org/
10.1016/j.diin.2016.12.004
A. Case, G.G. Richard III / Digital Investigation xxx (2016) 1e11 3
To work around this issue, acquisition tools could start analysis RAM. This can make acquisition of the page file take a substantial
by parsing the page table entries of every context, which includes amount of time, especially when acquisition is performed over the
the kernel's context as well as the context of every process. This network.
gathered data would then be saved to the same medium as where Accounting for demand paging also presents several problems.
the memory capture will be written. Next, memory would be ac- First, in order to determine which files are being accessed by
quired as it currently is. Upon completion, the page tables would running code requires the acquisition tool to essentially perform
then be enumerated and written out to a separate file on the memory forensics. In particular, it would need to parse the handle
storage medium. (file descriptor) tables as well as file-backed memory mappings of
Having the state of the page tables both before, during, and after each process in order to gather a list of files to acquire. This is a
acquisition would allow analysis frameworks to decide what to do substantial amount of logic to add to the acquisition tool, especially
with pages that have changed. For example, the framework could if support for a wide variety of operating systems and operating
simply choose to discard all pages that were modified when per- systems versions is important.
forming analysis of active data (e.g., running Yara rules across Second, in order to maintain the Order of Volatility, all memory
process memory). The framework could also decide to incorporate should be acquired first, and then the handle tables and memory
the changed page, but print debug messages to users that data has mappings parsed second. This will necessarily lead to incomplete
changed at particular addresses. Advanced approaches could and inconsistent data as processes will have opened and closed
include incorporating historical copies of data from places in handles during this time as well as mapped and unmapped files.
memory that used to hold the data a process referenced. We believe There is also the chance of processes terminating or being created
there are many avenues of research in this area that could be during acquisition. All of these cases would lead to missing files.
beneficial to sound memory acquisition. The last issue is that even if the acquisition tool could gather a
complete list of files needed, a blacklist of files not to acquire would
Current issue e incorporation of non-resident pages be needed. As an example on Windows, the kernel thread process
(System) can have handles open to registry hives, the hibernation
Current state file, swap files, and others. These files can be quite large and are
Besides page smearing, page swapping and demand paging are often not the targets of demand paging. Furthermore, processes
currently the biggest obstacles to complete acquisition of memory. such as database servers will have handles opened to huge files that
Page swapping is mechanism that allows for an operating system to are often not relevant and whose collection would substantially
use more memory than is actually available in RAM. To achieve this, slow down acquisition speed. Fine-tuning of which files to collect
the operating system stores excess pages in a secondary source, and which not to collect would require intensive research and any
normally in a local file system, until those pages are needed again. missing entries from the blacklist could jeopardize acquisitions.
Demand paging is a mechanism whereby the operating system
does not bring information from files on disk into memory until Future directions
they are absolutely needed, usually as a result of a read or a write Due to the importance of data in the swap file, we feel that it is
operation to a portion of a file. crucial for the acquisition process to correctly acquire the swap file
Combined, these issues prevent analysts from gaining a com- as well as for acquisition to then incorporate analysis of it. In this
plete picture of what was happening on the system at the time of subsection we describe our proposed methods for acquisition tools
acquisition. As discussed in Ligh et al. (2014), the pages that are to acquire the swap file with limited (or no) smear, and in Section
commonly swapped to disk are those that are associated with “Area of focus e memory analysis” we describe how analysis
userland processes and not the kernel. Such pages will have frameworks can seamlessly integrate swap.
revealing details of user activity, such as web browsing, command Unlike page smearing directly in RAM, smear related to page file
line activity, DNS requests and responses, and email activity that is acquisition occurs only through the operation handlers for reading
often crucial to investigations. Demand paging causes its own is- and writing to the swap file. If an acquisition tool were to monitor
sues as many pages of the running executable and its shared li- these operations, it could then decide to passively or actively ac-
braries (DLLs) will be on disk and not in memory. This can prevent count for pages coming in and out of the swap file as acquisition
complete binary analysis of components that may have malicious occurs.
functionality or that have been a victim of code injection. In passive mode, the acquisition driver could monitor reads and
writes to the page file and record the physical offsets on which they
Issues and limitations occurred. This monitoring would start from when the driver is
The seemingly obvious solution to the issues of page swapping loaded until both volatile memory and the page file(s) from disk
and demand paging is for the memory acquisition tool to first ac- were acquired. The set of pages affected by swapping could then be
quire memory and then acquire the page file(s) along with any stored in metadata associated with the capture. Memory analysis
actively referenced files in the file system. Unfortunately, applying tools that integrated swap file analysis could then leverage this
this approach to real world investigations is not as easy as it seems. metadata to ignore regions that changed. This would effectively
To begin with, as mentioned previously, acquisition tools do not stop smeared pages from being incorporated into analysis results.
currently handle page smearing in main memory. This problem is In active mode, the acquisition driver could go a step further and
only multiplied then when applied to acquisition of the page file. instead of simply recording which pages are being smeared, it could
Just as page table entries and contents in main memory can be also read the data currently in the swapped position before
smeared, so can entries in the paging file. In fact, the entries are allowing it to be overwritten. The memory acquisition tool could
usually further smeared as the page file is acquired after memory then write the recovered data into a separate store along with
acquisition is finished in order to follow the Order of Volatility metadata describing its physical offset. Memory analysis tools
(Farmer and Venema, 2005). This acquisition flow nearly guaran- would then read the list of pages that were affected by smear and
tees that pages in the swap file will have changed from when the substitute in the recovered data on reads to the affected offsets.
page tables that describe the swap file contents were acquired. The With flexible memory analysis frameworks, such as Volatility, this
increase in RAM of common systems exacerbates this problem as would be a minor update to how address translation already occurs.
Windows creates paging files whose size is related to the size of This process of saving pages before they are overwritten and
Please cite this article in press as: Case, A., Richard, III, G.G., Memory forensics: The path forward, Digital Investigation (2016), http://dx.doi.org/
10.1016/j.diin.2016.12.004
4 A. Case, G.G. Richard III / Digital Investigation xxx (2016) 1e11
incorporating them into analysis would remove the effects of purpose is to protect critical components of the operating system
pagefile-based smearing. from tampering by malware. It accomplishes this protection by
transparently running the user-facing operating system inside of a
Current issue e changes to Windows hibernation file analysis virtual machine guest. The hypervisor host, which the user has no
access to, then protects memory of critical processes, such as LSASS,
Current state as well as monitors for malicious changes to the system, such as
System hibernation is the process of a computer suspending it- malware overwriting core kernel components. Even kernel-level
self in a manner that allows the user's session to be resumed quickly malware will be defenseless against these protections as the se-
but without requiring power between uses. During the hibernation curity code is running in an isolated environment with higher
process, the operating system writes a complete capture of RAM to privileges. This is in sharp contrast to the traditional arms race
the local file system in order to allow for a full power down. This is between kernel-level malware and kernel-level security agents
contrast to system ‘sleep’ modes, which put the system into a low that both ran within the same security boundary. The implications
power mode that maintains the state of system RAM. for memory acquisition are that without a break out of virtualiza-
Since Windows XP, memory forensic analysts have leveraged tion exploit, only the memory of the guest VM can be acquired and
the contents of RAM written during to disk during hibernation, significant portions of the operating system's state are inaccessible
referred to as ‘hibernation files’, in order to acquire a historical to acquisition tools.
capture of memory. Analysis of these files was initially made
possible due to research performed by Matthe Suiche and pre- Swapfile.sys. The next major change involves the addition of a new
sented at Black Hat 2008 (Suiche, 2008). virtual memory file, swapfile.sys (Geek, 2015). This file was created
to handle swapping of Microsoft's new style of applications, now
Issues and limitations referred to as “Universal Windows Platform Apps”, but also as
Beginning with Windows 8, Microsoft substantially changed “Windows Store Apps”, “Metro Apps”, and “Windows Modern
both the on-disk format of hibernation files as well as the opera- Apps”. With this new swapping strategy, instead of individual
tions performed upon it during system resume. Before Windows 8, pages from a Metro App being swapped out into pagefile.sys, the
after the system resumed, the only data modified in the hibernation entire working set of the application is written into a new file,
file was the header. This allowed memory analysis tools to fully swapfile.sys. In Windows terminology, an application's working set
analyze the RAM contents contained within the file. Starting with is all of the addressable pages that a process currently has assigned
Windows 8, however, this procedure is modified and the header is to its address space.
left in-tact, but the rest of file's contents is overwritten with zeros
(Sylve et al., 2016). This makes analysis of hibernation files from Universal and Metro Apps. New Metro Apps not only introduced
running systems impossible on modern Windows versions. changes related to swapping of virtual memory, but they also
introduce a rich set of new APIs that allow for interacting with
Future directions touch screens and other peripherals that are not present on tradi-
Because the hibernation file is zeroed when the system boots, tional devices (MSDN, 2016a). These new APIs allow for legitimate
there is little that can be done during acquisition or analysis to applications to monitor a wide range of user behavior and hard-
recover memory artifacts from hibernation files acquired from live ware interactions in order to respond to such events.
Windows systems running Windows 8 or later. Instead, we propose
that live acquisition scripts and procedures be altered to exclude Future directions
acquisition of these files. This will substantially speed up the All of the discussed Windows 10 changes necessitate research in
acquisition process as Windows hibernation files are of roughly the order for memory forensic analysts to have a full understanding of
same size as the amount of RAM installed. Avoiding analysis of an investigated system's state as well as to understand how mal-
these files will also prevent wasted analyst time and effort. ware may abuse these new features.
Furthermore, we suggest that developers of memory analysis tools
and frameworks provide end-users with explicit warning messages Device Guard. While Device Guard's security enhancements will
when users try to analyze hibernation files from such systems. This prevent traditional malware from accomplishing its goals, it also
will again prevent analysts wasting time trying to troubleshoot presents a major stumbling block for analysts. Since memory
their tools and contacting support for clarification. acquisition tools run inside the protected guest, analysts have no
insight into what occurs at the hypervisor level or inside the
Current issue e Windows 10 guest(s) that the hypervisor creates in order to run the security
monitors. It seems inevitable that sophisticated attackers will
Current state escape this guest virtual machine into the hypervisor, and at the
In addition to the changes in hibernation analysis, Windows 10 current time, forensic investigators will have no means to track this
also introduced several other features that affect memory forensics. activity.
This section focuses on issues that currently are under-researched
or for which no public research exists. Due to the rapid adoption Swapfile.sys. The addition of a new file that contains swapped
of Windows 10 throughout corporate enterprises, it is vital that the virtual memory compounds the issues described previously in
digital forensics community better understand this new operating regards to smear and file acquisition. Furthermore, this new file
system and proper memory forensic approaches applicable to it. will necessitate changes to how analysts approach analysis of
swapped data. Currently, many analysts are trained to analyze
Issues and limitations pagefile.sys in order to find records of user and other system ac-
There are currently at least two areas where further research for tivity. With the addition of swapfile.sys, it appears as if all of the
Windows 10 acquisition is needed. pages belonging to processes will instead be stored in a separate
source. Considering that common applications, such as browsers,
Device Guard. The first, Device Guard (Device guard deployment document viewers and editors, and chat applications are all being
guide, 2016), is a major architectural change to Windows whose moved to the universal platform, it is reasonable to assume that
Please cite this article in press as: Case, A., Richard, III, G.G., Memory forensics: The path forward, Digital Investigation (2016), http://dx.doi.org/
10.1016/j.diin.2016.12.004
A. Case, G.G. Richard III / Digital Investigation xxx (2016) 1e11 5
substantial amounts of valuable data will no longer be in also require loading a separate tool to uniquely identify the version.
pagefile.sys. Second, the identified kernel module must be obtained. In a situ-
ation where the entire database isn't mirrored to the investigator,
Universal and Metro Apps. While the introduction of the new Metro such as in the Second Look approach, the individual module must
APIs and interfaces are meant for legitimate purposes, malware has then be downloaded. This shouldn't be done on the system under
historically abused such APIs for keylogging, monitoring web investigation, however, as it would be noisy and pollute data.
cameras and microphones, and a wide range of other nefarious Instead, a second system must be used to download the module
purposes (Ligh, 2012). We expect that malware authors will begin and then it could be transferred to the system in question. Only
to adopt their toolkits to these new APIs as they are not currently after these steps could acquisition begin. This process has several
monitored by endpoint agents and memory forensics toolkits. significant disadvantages, including 1) it assumes the investigators
Monitoring of these interfaces will require research and develop- are in an environment where Internet connectivity is allowed 2)
ment time by forensics tool developers, which gives attackers a gap this process does not scale, as it requires manual intervention and
in time in which to operate undetected. 3) the time between system version identification and acquisition
starting leaves a time gap for attackers to take notice and act.
Linux and Android acquisition
Leveraging existing kernel modules. A unique approach to avoiding
Current state the need for a new kernel acquisition model for every kernel
Linux and Android systems present unique memory forensic version was presented in Stüttgen and Cohen (2014). In this paper,
challenges. Unlike Windows and Mac OS X, where a memory the issues with building a kernel module for every kernel were
acquisition kernel driver can be compiled for a broad range of discussed, along with how the kernel verifies that a module to be
kernel versions, Linux kernel modules need to be compiled for loaded matches the running the kernel. The paper then discusses
every version and subversion of the kernel. This close dependency how, in order to bypass this check and still keep the system stable, a
on specific kernel versions combined with the speed of kernel copy of an existing kernel module is infected with the acquisition
development and the number of distributions, such as Ubuntu, algorithm. This allows memory acquisition code to be loaded into
Debian, RedHat, CentOS, and OpenSuSe, leads to a situation where the kernel, since the existing module will have the correct metadata
complete Linux version support would encompass thousands of to pass the version check and also for acquisition to be in a kernel
kernel modules. Creating and maintaining such a database requires version independent manner.
dedicated support by a team of engineers as well as automation of This approach has disadvantages as well, however. As described
checking for new updates and building of new operating system in detail in the paper, in order for the acquisition process to remain
version kernel modules. There is also a considerable amount of stable, the injected acquisition algorithm is extremely simple.
monetary and infrastructure needs to host the database of profiles Simplicity is necessary to avoid leveraging APIs or using data
online in a world wide accessible manner. structures whose implementation or layout changes between ver-
There are currently no open source projects that dedicate this sions. The algorithm works by creating a character device, which
amount of effort to a database of Linux profiles. On the commercial makes the driver's functionality available to userland, implement-
side, Threat Protection for Linux (Garner, 2016), formerly known as ing the read handler of the device driver so that the userland
Second Look, maintains a database of thousands of kernel modules component can read from it, and implementing a page remapping
and profiles. This database is only made available to customers and algorithm in order to allow physical memory to be read by
requires a mix of engineers and automated processing to keep up- userland.
to-date. In contrast to this approach is the one used by LiME (Sylve et al.,
2012), the most widely used acquisition tool for Linux. LiME pro-
Issues and limitations vides a rich set of capabilities, such as the ability to write to local
Leveraging a kernel module database. While useful in many in- disk or over the network. LiME is also unique in that it performs
stances, the dependency of a memory analysis tool or framework acquisition directly from the kernel. As shown in Sylve et al. (2012),
on a database of all existing kernel modules has several short- acquiring memory directly from the kernel, and as a result
comings. The first is that this database must be constantly updated. bypassing the need for thousands of context switches, leads to
While it may be possible for a vendor to keep such a database up- memory captures with a substantially larger percentage of the
to-date, it is often difficult for users of the associated tool to stay in original data versus approaches that acquire through kernel-to-
sync with the updates. The most common issue is that many userland facilities.
forensic systems are permanently disconnected from the Internet LiME is not a perfect solution, however, as it requires its kernel
to avoid leakage of evidence. This makes updating systems a module to be built for every version of the Linux kernel. Also, there
manual process, which usually involves burning CDs/DVDs and are features missing that mature memory acquisition tools provide,
then transferring them, and few investigators will want to perform such as file compression and over-the-network encryption, which
this process on a daily or weekly basis. would be difficult and error prone to implement in the kernel. This
The second issue with this approach is that there is no fallback means that LiME would likely have to be redesigned to support
for systems running custom compiled kernels. While generally userland facilities where such operations are straightforward. This
thought of as something only done by enthusiasts, these custom would negatively affect its ability to acquire nearly pristine copies
kernels are increasingly found in the field as vendors create kernels of memory.
for highly specific use cases such as single purpose hardware de-
vices as well as high performance systems. Leveraging /proc/kcore. The loss of /dev/mem led many in the digital
The last issue is that it is not usable in incident response sce- forensics community to assume that all future acquisitions of Linux
narios where the kernel versions of the systems to be acquired memory would require kernel drivers. This led to the development
unknown. To leverage the database during these scenarios, a few of tools based on kernel modules, such as fmem (niekt0 and fmem,
steps must occur before acquisition can actually begin. First, the 2011) and LiME. This assumption is not entirely valid, as /proc/kcore
correct kernel module must be identified. This would ideally be still exposes the kernel's virtual memory space. First discussed in a
done via an invocation of uname -a by the investigator, but might digital forensics context by Burdach (2006) in 2006, on 64-bit
Please cite this article in press as: Case, A., Richard, III, G.G., Memory forensics: The path forward, Digital Investigation (2016), http://dx.doi.org/
10.1016/j.diin.2016.12.004
6 A. Case, G.G. Richard III / Digital Investigation xxx (2016) 1e11
systems /proc/kcore allows full memory acquisition as the entire support the needs of both acquisition and analysis tools, but will
physical address space of the system is mapped into virtual mem- require partners across industry in order for such an effort to be
ory. This is not possible on 32-bit systems due to virtual address sustainable.
space size constraints. For Android analysis, the reliance on full physical memory
As with other solutions, /proc/kcore does not solve the issues on dumps may need to be reevaluated due to the difficulty in obtaining
its own. It is limited to only 64-bit systems and furthermore, its them. As discussed in Ali-Gombe (2012), there is great value in even
presence on a system is dependent on an optional kernel configu- userland memory dumps that contain all of the data accessible to a
ration option. We have encountered systems both with and without process. Particularly for law enforcement investigations, such data
/proc/kcore's existence. The /proc/kcore interface also suffers from will include passwords, emails, browsing history, chat messages,
the same issues with page mapping, remapping and unmapping as call logs, and more. Userland analysis will put malware in-
other interfaces like /dev/mem, which can result in kernel instability vestigators at a disadvantage, however, as any type of sophisticated
during memory acquisition on multicore/multi-CPU systems. userland or kernel-level malware will not be detected by such
approaches.
Avoiding acquisition modules hinders structured analysis. The para-
site module and /proc/kcore approaches to memory acquisition both Area of focus e memory analysis
rely on methods that avoid the creation of kernel modules specific
to each kernel version. While these techniques allow for acquisition Historical approaches to memory analysis
from a wide range of systems, they also push the kernel version
issue into the analysis phase. Memory analysis started in the early 2000s when digital
In order for memory analysis tools to process Linux memory forensic investigators realized that they could acquire memory
images, they must know the address of key symbols as well as the directly from a running system through previously available in-
layout of data structures. This is also the exact information needed terfaces. At the time, there were both rootkits that were difficult or
to create kernel modules that can load against a running system. By impossible to detect on a running system as well as anti-forensics
skipping the gathering of this information during acquisition, the techniques that could fool live analysis tools. At this stage in the
work is passed onto the investigator performing analysis. If the history of memory forensics, however, there were no mature
investigator cannot create a profile, then he must fall back to un- frameworks for performing memory analysis, and instead, in-
structured analysis (strings, grep, etc.) and forego the true power of vestigators had to rely on tools, such as strings, grep, and hex edi-
memory forensics. tors in order to find data of interest. This technique is now referred
to as ‘unstructured analysis’ as it simply treats a memory capture as
Android acquisition. Attempting to acquire memory from Android a raw stream of bytes. Unstructured analysis still has its uses, such
devices entails all of the previously described problems with Linux as when searching for strings generated by user activity or for
acquisition along with several additional ones. passwords and encryption keys, but thorough investigations
The issues facing Android memory acquisition include: require structured analysis.
In early 2005, DFRWS released their annual challenge. This
The inability to bypass locked screens challenge required investigators to perform thorough analysis of a
The need to root the device without rebooting the phone Windows memory sample. This led to the creation of several
The need to gather the kernel headers and configuration for the memory analysis tools, including KntTools (Garner, 2005), Moon-
phone, for which vendors are incredibly slow to produce and Sols (Suiche, 2007), the FATKit (Petroni et al., 2006), VolaTools
often never produce at all (Walters and Petroni, 2007), and Volatility (The volatility
The lack of /proc/kcore functionality, as most of the millions of framework, 2016). In the years since, several powerful open
Android devices are on the 32-bit ARM platform source frameworks as well as commercial analysis tools have been
The optional presence of /dev/mem, and in the authors' testing, developed. There have also been numerous academic papers and
attempting to read from /dev/mem on Android devices always industry conference presentations that extend memory forensic
resets the phone. A valid memory capture has never been ob- capabilities related to malware detection, defeating anti-forensics,
tained in this manner, in our experience. tracking user and attacker activity, and more.
In the following sections we discuss where these efforts have
€chter
These problems are described in even greater detail in Wa taken memory forensics investigators and where further work is
and Gruhn (2015) where the researchers attempted to acquire needed to ensure that memory analysis remains an integral part of
memory from common Android devices in their stock configura- digital forensics and incident response processes.
tion. These tests mimicked scenarios encountered in the wild, and
the paper details each step taken and where the procedures failed Current issue e userland platform analysis
or succeeded. The community has struggled with these problems
with Android analysis for several years, but no solution has been Current state
discovered (masdif, 2014). The threat of rootkits and the inability to detect them on live
systems has led to a substantial amount of memory forensics
Future directions research time being geared towards detecting system state
The use of the parasite method and of /proc/kcore simply push anomalies in kernel memory. At the same time as this research
the issue of kernel version independence on the analysis tool and was taking place, operating system vendors also took action
forensic analyst. Linux memory analysis tools are highly dependent against kernel rootkits. To start, both Microsoft and Apple decided
on per-version information and no research effort to date has to enforce that all kernel drivers must be signed (Case and
successfully made them less dependent across a wide variety of Richard, 2016). This raises the bar for malicious actors as they
systems. We feel that the most robust solution to this problem will must steal code-signing certificates from legitimate entities in
be a database of information about a wide range of systems that is order to get their driver loaded. While there are examples of
kept up-to-date, publicly available, and seamlessly supports inci- suspected nation-state actors and criminal groups performing
dent response in unknown environments. This system would this task (http, 2016b; https, 2016c; http, 2016a) this is not
Please cite this article in press as: Case, A., Richard, III, G.G., Memory forensics: The path forward, Digital Investigation (2016), http://dx.doi.org/
10.1016/j.diin.2016.12.004
A. Case, G.G. Richard III / Digital Investigation xxx (2016) 1e11 7
something that less skilled attackers will be capable of reside only in memory. Current capabilities against Powershell
accomplishing. generally rely on string searching or looking for side-effects of the
Microsoft also went a step further than Apple and implemented actions taken by Powershell scripts and not the actual Powershell
Kernel Patch Protection, which is commonly referred to as Patch activity itself.
Guard (Kernel patch protection, 2016). This protection mechanism Another important area in which further research is required is
operates from the kernel and protects kernel code from being post-mortem examination of the .NET runtime inside process
modified as well as protects key data structures from being address spaces. .NET malware has already been found in numerous
tampered with, such as the process list, callback handlers, and real world attacks and malicious campaigns (SecureList, 2015;
driver objects (Ionescu, 2015). Cisco, 2014; MalwareBytes, 2016), but there are currently no
memory forensic capabilities to detect such activity. Besides the
The rise of userland malware. The inability for malware authors to malware found in the wild that abused .NET, there are also several
easily load their rootkits into the kernel has led to a surge in open research projects that document the malicious activity. For
userland-based malware. Malware written to run in process example, the NTCore project has a detailed article on how code
memory has many of the same capabilities as kernel level malware, hooking and filtering can be performed at runtime (NTCore, 2016).
but is easier to write and does not require its code to be signed. .NET also provides runtime function overriding. Function over-
Even without kernel access, userland malware can still spy on all of riding allows for malicious code to substitute the legitimate
a user's activities, such as logging keystrokes, monitoring web handler of functions calls with a malware-controlled imple-
cameras and microphones, stealing browser history, contact lists, mentation. This provides for a wide range of abuse as all APIs can be
chat conversations, and more and then exfiltrating stolen data over filtered, monitored, or completely replaced. There are currently no
the network. Userland malware can also be extremely hard to memory forensic capabilities that specifically check for .NET run-
detect on the live system as it has the access necessary to hook the time manipulation by malware.
APIs that live tools rely on in order to gather a view of a system's
runtime state. Mac OS X. Apple provides two runtimes to allow developers simple
and standard access to a wide range of system resources, including
Current capabilities. The threat of userland malware necessitates memory management, hardware devices, user and GUI activity, and
that memory forensic frameworks provide robust detection capa- more. The first of these runtimes, Objective-C, is widely used
bilities against the malicious activity. Currently, these tools have throughout the operating system, and is heavily targeted by mal-
strong capabilities in detecting traditional userland malware ware. As discussed in a recent DFRWS paper (Case and Richard,
techniques, such as code injection, code modifications (inline 2016), the notorious Crisis malware abused Objective-C in order
hooks, API hooks, etc.) and manipulation of the runtime loader, to monitor user's browser activity, log system wide keystrokes,
such as IAT/EAT patching on Windows, GOT/PLT patching on Linux, activate the microphone and webcam, and to hide from live anal-
and so on (Ligh et al., 2014). There is also strong support on Win- ysis. The main method that Crisis employed was runtime method
dows for abuse of APIs through the native Windows GUI APIs swizzling, which is the ability for code to replace method imple-
(Omfw, 2012). mentations at runtime. Crisis abused this feature to allow its own
malicious handlers to spy on and manipulate data that was being
Issues and limitations processed by applications.
While memory forensic frameworks do provide the previously The previously referenced research provides the ability to detect
listed capabilities against userland malware, there is still much Objective-C abuses, but was heavily targeted towards the 10.9 and
more work left to be done. In particular, memory forensic does not 10.10 versions of OS X. Furthermore, this work is heavily dependent
provide deep coverage of the many userland runtime platforms on the version of Objective-C being analyzed, much like memory
provided by each operating system in order to make development analysis tools are dependent on versions of the operating system. In
simpler and more standardized. Unfortunately, these platforms are order for this work to become widely usable throughout the field, it
already being abused by malware in order to maintain functionality must be extended to more versions of OS X.
without leveraging the operating system components traditionally The second Apple-provided runtime platform is Swift (Apple,
checked by security agents and memory forensics tools. This leads 2016). This platform is meant to replace Objective-C in the future,
to a lack of detection capabilities as the malware is operating higher but they are currently implemented in parallel. Unlike Objective-C,
in the application stack than the memory analysis algorithms know there are currently no memory forensics capabilities targeted to-
how to inspect. For the remainder of this section, we will discuss wards Swift, leaving malware free to operate undetected.
each of these platforms, along with the existing state of research,
if any. Linux. While Linux is generally used from the command line, such
as through SSH, there are specific engineering fields and companies
Windows. Memory forensics is currently lacking in two key areas that rely heavily on the Linux desktop. This is particularly true for
for Windows systems. The first is the ability to detect Powershell the many organizations that leverage high performance applica-
activity in a post mortem investigation. As discussed in a recent tions for processing tasks related to video editing, engineering, and
Symantec report, Powershell is a key component of modern attacks, statistics. Crisis, along with several other malware samples found
particularly those by sophisticated actors (The increased use of the wild, target the Linux graphical runtime, XOrg, to spy on user
powershell in attacks, 2016). Beyond private toolsets, there are activity. As with Swift and .NET, there is currently no memory
also open source projects, such as Powershell Empire (Powershell forensic capability to examine or detect this activity.
empire, 2016), that allow for pure Powershell post-exploitation
control of systems. Empire performs all of its Powershell work Android. Android applications, such as those downloaded from the
completely in-memory, without actually executing power- Play Store, are powered by the Android runtime. On older versions
shell.exe on disk, and supports keylogging, credential theft, of Android, this runtime was Dalvik, and provided a Java-like
lateral movement, and more. As the prevalence of Powershell interface to develop applications. Memory forensics researchers
grows, the memory forensics community must respond to its ca- implemented deep memory analysis capabilities against Dalvik
pabilities, particularly given how many of the malicious scripts (Case; Macht, 2012). These capabilities included recovery of all
Please cite this article in press as: Case, A., Richard, III, G.G., Memory forensics: The path forward, Digital Investigation (2016), http://dx.doi.org/
10.1016/j.diin.2016.12.004
8 A. Case, G.G. Richard III / Digital Investigation xxx (2016) 1e11
loaded runtime classes, the name, type, and value of all static and that recover information from Notepad, Notes, Pidgin/Adium, and
class variables of each class instance, and the handler address of the Calendar application. While these are all useful, they represent
class methods. Leveraging this data, investigators were quickly able a small percentage of applications that hold forensic value. In the
to deal with packed malware, as the unpacked values would be in following sections we describe other applications and services for
memory, as well as quickly being able to focus on key features of which investigations would greatly benefit from structured
the malware. The main downside to this research is that it was analysis.
difficult to use across a wide range of phones due to the data
structures being highly dependent on the Dalvik version as well as Web browsers and browser activity. Although disk forensics of
general Android acquisition issues as described previously. browser activity can often recover detailed information about a
The research performed against Dalvik, while novel, has quickly user's previous browsing activity, it often still leaves much to be
becoming outdated as Dalvik is being replaced with a new Android desired. Particularly with the rise of HTTPS across websites, which
Runtime (ART) (Android, 2016). ART changes the Dalvik method of prevents caching of files to disk, investigators are often left with
JIT-based compilation with full compilation of applications as they only partial pictures of a user's historical behavior. For instance,
are installed on the device. This replaces the generally easy to when tracking data exfiltration, an investigator may be able to see
reverse engineer Dalvik classes with native code compiled to ELF that a person browsed to Dropbox or accessed his Gmail account,
binaries. It also considerably changes how memory forensic anal- but due to HTTPS, will be unable to determine what data was
ysis would approach the platform, and to date there has been no actually transferred when relying solely on disk forensics. With
public memory analysis research against ART. memory forensics this changes though as fragments of the session
will still be in memory. In real-world cases this has led to recovery
Future directions of the name and full path of files recovered, and in the case of
The increasing prevalence and power of userland malware re- smaller files, complete recovery of the file itself.
quires attention by the memory forensics community. The runtime A similar pain point is determining what data a user sent to web
platforms that are implemented across operating systems are applications. Inside corporations, internal applications maintain
fertile grounds for malware as the platforms have complete control highly sensitive information about employees and the company
over the runtime and there are few security tools that adequately itself. These applications are a prime target for malicious insiders,
check for malware tampering. but unfortunately web servers rarely store data sent through the
We advise that memory forensics research projects that target POST HTTP method. Since all sensitive data is sent through this
these platforms do so in a manner that will discover a range of method, as opposed to GET, which makes data appear in the URL,
malware tampering and also support a wide range of OS versions. important information is missed by investigators. With memory
This process can be time consuming and difficult, however, as many forensics techniques, this data can often be recovered and associ-
of the platforms are fully closed source or at least partially closed ated with specific web browser processes and user accounts.
source, which requires an experienced reverse engineer to perform This type of analysis currently requires an investigator to be
the initial analysis. highly familiar with HTTP and the furthermore, the investigator
must manually analyze available evidence using strings and grep
Current issue e application specific analysis output to piece things together. The addition of automatic extrac-
tion of this information would be of tremendous value to
Current state investigators.
Memory forensics was traditionally used only during malware
analysis or in incident response when malware or advanced at- Office applications. Microsoft Office is installed on nearly every
tackers were present. This has quickly changed over the last several corporate end-user system, but there is currently no memory
years as investigators have realized the value of memory forensics forensic support specific to this suite of applications. Analysis of
during all types of investigations. This includes investigations tar- Office activity is relevant to both insider threat investigations as
geting rogue insiders, anti-forensic applications, and during civil well as malware investigations stemming from attacker's use of
and criminal proceedings involving electronic devices. In many of malicious documents. On the insider threat side, being able to
these cases, memory forensics techniques are able to recover in- determine the contents of documents viewed by users would be of
formation that is not available to network or disk forensics. This tremendous value. Many times in these scenarios the investigator
occurs with browsers that implement ‘private browsing’, wherein has proof that a user viewed a specific document, based on its file
many common artifacts are not written to disk, chat applications path recovered from LNK files, jumplist databases, and the registry,
that implement end-to-end encryption and disable on-disk log- but the viewed file has since been deleted. This often stems from
ging, such as Pidgin and Adium, and volume and file encryption rogue insiders who download many documents from across the
tools that encrypt all information written to local storage. Memory network, view them to look for relevant information, exfiltrate
forensics can assist in these situations since application informa- them if interesting, and then delete them locally afterwards. In
tion that is written in encrypted form to the local disk or the order to definitively prove which documents a user was viewing,
network is stored in cleartext while in memory for processing. the investigator will often attempt to tie back file contents to files
While highly useful, much of this information recovery is left to across the network. While this can be done through deleted file
manual analysis, such as through examination of strings, by the recovery, this process can be extremely time consuming given how
investigator. We propose that to help scale investigations and to many Office documents will appear on the storage devices of an
ensure that all artifacts are recovered, that memory forensic average corporate user. Leveraging memory forensics features
frameworks begin to deeply analyze application artifacts in a specific to Office analysis could greatly enhance this process.
structured manner. On the malware side, the use of malicious macros and VBA
scripts has quickly returned to real world attacks (Volexity, 2016).
Issues and limitations Sending malicious documents through email or other means is a
Memory analysis frameworks currently implement few quick way for attackers to target specific users and the general lack
application-specific analysis plugins. The Volatility framework has of security conscious behavior by non-technical end users means
the most, but only implements a handful of these, such as plugins that the attacks have a high chance of succeeding. Memory
Please cite this article in press as: Case, A., Richard, III, G.G., Memory forensics: The path forward, Digital Investigation (2016), http://dx.doi.org/
10.1016/j.diin.2016.12.004
A. Case, G.G. Richard III / Digital Investigation xxx (2016) 1e11 9
forensics is currently only able to recover side effect activity of Issues and limitations
malicious documents, such as if the payload injects code into Swapped pages being in memory alleviates the issue of pagefile
another process, but is not able to detect the malicious documents collection as discussed previously, but also introduces additional
themselves. complications. To start, data being compressed in-memory means
that it will not be discoverable by unstructured methods such as
Web servers. Investigations of attacks through web servers and strings, grep, and Yara scans. These methods are still heavily relied
services are often very frustrating. The only user-controlled data upon by investigators to recover information that cannot auto-
that web servers are capable of logging is the data passed through matically be recovered in a structured manner.
GET requests, which is data visible in the URL. As mentioned pre- The other issue is that no memory forensics framework
viously, any sensitive data is instead passed through POST, which is currently implements transparent handling of compressed swap
not logged by default and usually not logged at all. This leaves in- pages. The referenced research implemented decompression ca-
vestigators in frustrating situations in which they are attempting to pabilities for certain Linux and Mac Volatility plugins, but this
determine when attackers initially gained access to the system or only applied to particular portions of the framework. With the
what commands were sent to a web-based backdoor, but none of ongoing development of Volatility 3, and the easy incorporation of
the relevant data is logged. secondary memory sources, the integration of these swap sources
Memory forensics is often useful in these situations as the should occur, but in the meantime investigations are missing ar-
remnants of data from the malicious interactions will often still be tifacts from the compressed stores. As the success of these stores
stored in memory. This is true even of the unencrypted buffers of was realized on Mac and Linux, Microsoft decided to implement
HTTPS connections that would be fully encrypted on the network. the functionality starting in Windows 10 (WindowsITPro, 2016).
Again, however, memory forensic frameworks currently leave re- There is currently no research that documents the algorithms
covery of such data to the investigator and do not attempt to used by this compressed store, which means that the
automatically extract such records even though they can be of high compressed pages are essentially inaccessible to memory foren-
value. sics investigators.
Future directions
Database servers. Investigations involving access to sensitive da-
The heavily reliance of OS X, and now Windows, on in-memory
tabases by attackers often face the same roadblocks as those
compressed stores means that memory forensics frameworks must
associated with investigating web browsers and web servers.
incorporate them into their page translation algorithms. Just as
Database servers only log diagnostic and authentication informa-
these frameworks must be adapted to read page files from disk in a
tion to disk, which leads to an incomplete picture of activity.
transparent manner, they must also be able to recognize when
Memory analysis can recover a plethora of data, including queries
pages are compressed and then decompress them transparently for
executed, results returned by queries, commands executed through
analysis. Only then will the full range of information stored
functionality such as xp_cmdshell of MSSQL, and more. The diffi-
in memory become available. This will also allow traditional
culty is that with current generation tools, this work must be per-
unstructured analysis to become fully usable again as the frame-
formed through unstructured analysis. With further research this
work can extract and present the decompressed pages to the
data could be automatically extracted. For example, with MSSQL
investigator.
views, which are memory-only tables, a wide range of information,
such as which user accounts authenticated, which queries were run
Current issue e Windows 10
by which user, as well as a full list of all queries executed against the
running database are available (Fowler, 2007). Memory forensics
Current state
frameworks that implement recovery of this information in a
Windows 10 not only changes approaches related to memory
structured manner will provide rapid recovery of highly actionable
acquisition, but also has effects on memory analysis. Based on
artifacts.
current research, these include the introduction of native Linux
support as well as changes to operating system update cycles.
Future directions
For memory forensics to be useful across all types of in- Issues and limitations
vestigations and investigative scenarios, research must be per-
formed that targets specific userland applications and the data they Native Linux
process. Current approaches to analysis of such data do not scale Starting with Windows 10, Microsoft introduced a native
and are not easily repeatable, as they rely on a mix of manual capability to run Linux applications inside of Windows (MSDN,
extraction and examination of strings and the knowledge and skills 2016b). There is currently no forensics-oriented research on this
of the investigator. new feature, but noted security researcher Alex Ionescu has pre-
sented extensive research on this topic. His work was mostly
Current issue e compressed, in-memory swap focused on the architecture itself and how it appears on the live
system, but this a foundation on which future forensics research
Current state could be performed.
The importance of the integration of swap data into memory
analysis has been discussed several times throughout this paper. Rapid kernel updates
In those instances, the discussion focused on the integration of Microsoft traditionally saved major updates to the operating
swap from disk, but in modern operating system versions there is system for service packs. This model has changed though in order
also a separate store of swap in memory. First discussed in a fo- for Microsoft to more quickly respond to security issues as well as
rensics context in Case and Richard (2014), these in-memory adding features. This new approach to updates affects Windows 7,
stores of swapped pages are highly compressed and provide a 8, and 10, but most heavily affects Windows 10. The rapid devel-
substantial performance improvement versus pages being written opment of changes, sometimes in less than a week between re-
out to disk. leases, means that memory analysis tools must be constantly
Please cite this article in press as: Case, A., Richard, III, G.G., Memory forensics: The path forward, Digital Investigation (2016), http://dx.doi.org/
10.1016/j.diin.2016.12.004
10 A. Case, G.G. Richard III / Digital Investigation xxx (2016) 1e11
checked against the latest versions of the OS in order to detect very sensitive information. This has led to several samples of
major changes to data structures and algorithms. malware that targeted the platform (Lookout, 2016; theiphonewiki,
2016) in order to spy on user activity.
Future directions To date, there has been no public memory forensics research
published for iOS devices. The largest stumbling block to such
Native Linux research is the inability to directly acquire physical memory. Even
The introduction of Linux capabilities into Windows will require on jailbroken devices, users cannot directly load kernel modules as
substantial forensics research. Ionescu has done an excellent job of the facilities are not present in the operating system. This prevents
documenting the current implementation, but future research faces a tool, such as LiME, from being written for Apple's iOS. It is also in
a few hurdles. The first is that reverse engineering of a large sub- contrast to Android where root users are able to directly load kernel
system is required for any substantial effort. Ionescu is one of the modules.
best Windows reverse engineers in the industry, which means his Gaining kernel access to iOS devices is not impossible, as illus-
research efficiency is difficult to widely replicate. Furthermore, his trated by the number of available kernel exploits. In fact, Stefan
research notes state that the Linux implementation has seen sub- Essar, one of the most noted members of the jailbreak community,
stantial changes since its introduction, which means that any developed a hardware kernel debugger for older versions of the
research efforts may become quickly outdated until the interfaces iPhone (Esser, 2011). Leveraging exploits to enter the kernel and
and subsystem becomes more stabilized. later get a kernel module loaded seems like a plausible avenue for
memory forensics. It would still be highly dependent on the phone
Rapid kernel updates in question though as the phone would either have to already be
The introduction of rapid kernel updates changes the way that jailbroken or be vulnerable to exploits that allow for triggering of a
memory forensics tools traditionally represented the data struc- kernel vulnerability without a reboot. Furthermore, it's very likely
tures and algorithms of analyzed operating systems. For example, that any vulnerabilities exploited to allow memory acquisition will
Volatility 2.x distributes Windows profiles on service pack be quickly patched.
boundaries, such as a profile for Windows 7 service pack 1 or
Windows XP service pack 2. This model is now inadequate as Chromebooks
major changes to key data structures occur in minor releases of
the operating system. This has led to the Volatility developers Google's Chromebooks are locked down computing “appliances”
needing to generate new profiles for the subset of updates that that run a heavily customized version of Linux. Chromebooks pro-
change key data structures. This also requires the end user to pick vide no native access to the file system or to memory. For security
specific sub-versions of an operating system to obtain complete reasons, users are shielded from all parts of the operating system that
analysis. digital forensics analysts traditionally collect for analysis. As with
Other memory analysis tools, such as WinDBG (MSDN, 2016c), iOS, unless there is an exploit that allows for bypassing of the built-in
Rekall (Google, 2016), and the future Volatility 3 work around this security measures, then full forensics collection is not possible.
issue by incorporating debug symbols (PDB files) into analysis.
Incorporation of PDB files fixes the issue related to data structure The Internet of Things
mismatches between subversions, but does not automatically fix
issues when algorithms change between versions. Ongoing work The billions of devices that power the “Internet of Things” (IOT),
with Windows 10 shows that these changes occur frequently and are increasingly being used in situations that require forensic
require manual updates to the processing algorithms of memory analysis. These include devices that track information related to
analysis frameworks. civil matters as well as traditional criminal activity on top of recent
Sole reliance on PDBs also introduces practical problems with major botnet attacks (Schneier, 2016; ThreatPost, 2016). Many of
memory analysis as not all modules have PDB files, such as the these devices are built upon Linux, and due to their restrictive ac-
network stack (tcpip.sys) and the GUI subsystem (win32k.sys). cess environments and lackluster vendor support for 3rd party
These means that manual reverse engineering must still be done kernel code, it is difficult or impossible to acquire memory samples.
after updates that break existing analysis plugins. The use of PDBs is Furthermore, devices running custom operating systems and
also cumbersome to investigators who must download and main- hardware have no memory forensics support at all. As these devices
tain a set of PDBs for all analyzed systems. This is especially difficult become more and more common, the forensics community must
for investigators who work in closed environments, which is perform research to support a wide range of devices, all of which
prevalent in government organizations and also many private fo- run different operating system versions, hardware architectures,
rensics firms. and software configurations. The one thing in common with these
devices is the goal of preventing outside access. It seems likely that
Technologies without memory forensics coverage any approach to memory acquisition of IOT devices will require
chaining acquisition tools with exploits. Adoption of such an
So far, we have discussed platforms and operating systems for approach will have raise immediate legal questions about admis-
which memory forensics capabilities exist, but which require sibility as well as technical questions to ensure stable acquisition.
further work. We conclude the paper by discussing other important As with iOS devices, any vulnerabilities that can be leveraged to
systems for which memory forensics is sorely needed, but for provide memory acquisition will likely be patched.
which no physical memory analysis capabilities exist.
Closing thoughts
Apple iOS
Memory forensics has proven to be one of the most versatile and
After Android, Apple's iOS, which powers iPhones and iPads, has powerful ways to analyze computer systems. It has become a daily
the largest market share in the world. Due to its popularity and part of incident response procedures as well as the driving force
security features, it is often the platform of choice for politicians, behind proactive analysis of environments for malicious activity. In
businessmen, dignitaries, diplomats, and other people who hold this paper we discussed historical work that was performed to
Please cite this article in press as: Case, A., Richard, III, G.G., Memory forensics: The path forward, Digital Investigation (2016), http://dx.doi.org/
10.1016/j.diin.2016.12.004
A. Case, G.G. Richard III / Digital Investigation xxx (2016) 1e11 11
Please cite this article in press as: Case, A., Richard, III, G.G., Memory forensics: The path forward, Digital Investigation (2016), http://dx.doi.org/
10.1016/j.diin.2016.12.004