Memory forensics

Memory forensics is forensic analysis of a computer's memory dump. It's primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive. Consequently, the memory (RAM) must be analyzed for forensic information.

History

Zeroth generation tools

Prior to 2005, memory forensics was done on an ad-hoc basis, using generic data analysis tools like strings and grep. These tools are not specifically created for memory forensics, and therefore are difficult to use. They also provide limited information. In general, their primary usage is to extract text from the memory dump.^[1]

First generation tools

In 2005, DFRWS issued a Memory Analysis Forensics Challenge.^[2]. In response to this challenge, a new generation of tools, specifically designed to analyze memory dumps, was created. These tools had knowledge of the operating system's internal data structures, and were thus capable of reconstructing the operating system's process list and process information.^[2]

Although intended as research tools, they proved that operating system level memory forensics is possible and practical.

Second generation tools

Subsequently, several memory forensics tools were developed intended for practical use. These include both commercial tools like Memoryze and open source tools like Volatility. New features have been added, such as analysis of Linux and Mac OS X memory dumps, and substantial academic research has been carried out.^[3]^[4]

Currently, memory forensics is a standard component of incident response.^[5]

References

^ Dan Farmer and Wietse Venema.Forensic Discovery.Chapter 8.
^ ^a ^b DFRWS 2005 Forensics Challenge
^ Petroni, N. L., Walters, A., Fraser, T., & Arbaugh, W. A. (2006). FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3(4), 197-210.
^ Inoue, H., Adelstein, F., & Joyce, R. A. (2011). Visualization in testing a volatile memory forensic tool. Digital Investigation, 8, S42-S51.
^ SANS Institute. Memory Forensics for Incident Response.

[1] Dan Farmer and Wietse Venema.Forensic Discovery.Chapter 8.

[DFRWS_2005-2] DFRWS 2005 Forensics Challenge

[3] Petroni, N. L., Walters, A., Fraser, T., & Arbaugh, W. A. (2006). FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3(4), 197-210.

[4] Inoue, H., Adelstein, F., & Joyce, R. A. (2011). Visualization in testing a volatile memory forensic tool. Digital Investigation, 8, S42-S51.

[5] SANS Institute. Memory Forensics for Incident Response.

[1]

[2]

[3]

[4]

[5]