The acquisition of volatile memory of running systems has become a prominent and essential procedure in digital forensic analysis and incident responses. In fact, unencrypted passwords, cryptographic material, text fragments and latest-generation malware may easily be protected as encrypted blobs on persistent storage, while living seamlessly in the volatile memory of a running system. Likewise, systems' run-time information, such as open network connections, open files and running processes, are by definition live entities that can only be observed by examining the volatile memory of a running system. In this context, tampering of volatile data while an acquisition is in progress or during transfer to an external trusted entity is an ongoing issue as it may irremediably invalidate the collected evidence. To overcome such issues, we present SMMDumper, a novel technique to perform atomic acquisitions of volatile memory of running systems. SMMDumper is implemented as an x86 firmware, which leverages the System Management Mode of Intel CPUs to create a complete and reliable snapshot of the state of the system that, with a minimal hardware support, is resilient to malware attacks. To the best of our knowledge, SMMDumper is the first technique that is able to atomically acquire the whole volatile memory, overcoming the SMMimposed 4GB barrier while providing integrity guarantees and running on commodity systems. Experimental results show that the time SMMDumper requires to acquire and transfer 6GB of physical memory of a running system is reasonable to allow for a real-world adoption in digital forensic analyses and incident responses
When hardware meets software : a bulletproof solution to forensic memory acquisition / A. Reina, A. Fattori, F. Pagani, L. Cavallaro, D. Bruschi - In: ACSAC '12 : proceedings of the 28th annual Computer security applications conference / [a cura di] R.H. Zakon. - New York : Association for computing machinery, 2012 Dec. - ISBN 9781450313124. - pp. 79-88 (( Intervento presentato al 28. convegno Annual Computer security Applications Conference tenutosi a Orlando nel 2012 [10.1145/2420950.2420962].
When hardware meets software : a bulletproof solution to forensic memory acquisition
A. Reina;A. Fattori;D. Bruschi
2012
Abstract
The acquisition of volatile memory of running systems has become a prominent and essential procedure in digital forensic analysis and incident responses. In fact, unencrypted passwords, cryptographic material, text fragments and latest-generation malware may easily be protected as encrypted blobs on persistent storage, while living seamlessly in the volatile memory of a running system. Likewise, systems' run-time information, such as open network connections, open files and running processes, are by definition live entities that can only be observed by examining the volatile memory of a running system. In this context, tampering of volatile data while an acquisition is in progress or during transfer to an external trusted entity is an ongoing issue as it may irremediably invalidate the collected evidence. To overcome such issues, we present SMMDumper, a novel technique to perform atomic acquisitions of volatile memory of running systems. SMMDumper is implemented as an x86 firmware, which leverages the System Management Mode of Intel CPUs to create a complete and reliable snapshot of the state of the system that, with a minimal hardware support, is resilient to malware attacks. To the best of our knowledge, SMMDumper is the first technique that is able to atomically acquire the whole volatile memory, overcoming the SMMimposed 4GB barrier while providing integrity guarantees and running on commodity systems. Experimental results show that the time SMMDumper requires to acquire and transfer 6GB of physical memory of a running system is reasonable to allow for a real-world adoption in digital forensic analyses and incident responses
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
