Time filter

Source Type

New Orleans, LA, United States

Case A.,Digital Forensics Solutions LLC | Marziale L.,Digital Forensics Solutions LLC | Neckar C.,Neohapsis | Richard III G.G.,University of New Orleans
DFRWS 2010 Annual Conference

This paper presents the first deep investigation of the kmem-cache facility in Linux from a forensics perspective. The kmem-cache is used by the Linux kernel to quickly allocate and deallocate kernel structures associated with processes, files, and the network stack. Our focus is on deallocated information that remains in the cache and the major contribution of this paper is to illustrate what forensically relevant information can be retrieved from the kmem-cache and what information is definitively not retrievable. We show that the kmem-cache contains a wealth of digital evidence, much of which was either previously unavailable or difficult to obtain, requiring ad hoc methods for extraction. Previously executed processes, memory mappings, sent and received network packets, NAT translations, accessed file system inodes, and more can all be recovered through examination of the kmem-cache contents. We also discuss portable methods for erasing this information, to ensure that private data is no longer recoverable. © 2010 Digital Forensic Research Workshop. Published by Elsevier Ltd. All rights reserved. Source

Case A.,Digital Forensics Solutions LLC | Marziale L.,Digital Forensics Solutions LLC | Richard III G.G.,University of New Orleans
Digital Investigation

The role of live forensics in digital forensic investigations has become vital due to the importance of volatile data such as encryption keys, network activity, currently running processes, in memory only malware, and other key pieces of data that are lost when a device is powered down. While the technology to perform the first steps of a live investigation, physical memory collection and preservation, is available, the tools for completing the remaining steps remain incomplete. First-generation memory analyzers performed simple string and regular expression operations on the memory dump to locate data such as passwords, credit card numbers, fragments of chat conversations, and social security numbers. A more in-depth analysis can reveal information such as running processes, networking information, open file data, loaded kernel modules, and other critical information that can be used to gain insight into activity occurring on the machine when a memory acquisition occurred. To be useful, tools for performing this in-depth analysis must support a wide range of operating system versions with minimum configuration. Current live forensics tools are generally limited to a single kernel version, a very restricted set of closely related versions, or require substantial manual intervention. This paper describes techniques developed to allow automatic adaptation of memory analysis tools to a wide range of kernel versions. Dynamic reconstruction of kernel data structures is obtained by analyzing the memory dump for the instructions that reference needed kernel structure members. The ability to dynamically recreate C structures used within the kernel allows for a large amount of information to be obtained and processed. Currently, this capability is used within a tool called RAMPARSER that is able to simulate commands such as ps and netstat as if an investigator were sitting at the machine at the time of the memory acquisition. Other applications of the developed capabilities include kernel-level malware detection, recovery of processes memory and file mappings, and other areas of forensics interest. © 2010 Digital Forensic Research Workshop. Published by Elsevier Ltd. All rights reserved. Source

Sylve J.,University of New Orleans | Case A.,Digital Forensics Solutions LLC | Marziale L.,Digital Forensics Solutions LLC | Richard G.G.,University of New Orleans
Digital Investigation

The Android operating system for mobile phones, which is still relatively new, is rapidly gaining market share, with dozens of smartphones and tablets either released or set to be released. In this paper, we present the first methodology and toolset for acquisition and deep analysis of volatile physical memory from Android devices. The paper discusses some of the challenges in performing Android memory acquisition, discusses our new kernel module for dumping memory, named dmd, and specifically addresses the difficulties in developing device-independent acquisition tools. Our acquisition tool supports dumping memory to either the SD on the phone or via the network. We also present analysis of kernel structures using newly developed Volatility functionality. The results of this work illustrate the potential that deep memory analysis offers to digital forensics investigators. © 2011 Elsevier Ltd. All rights reserved. Source

Discover hidden collaborations