Capturing RAM. Alex Applegate. Mississippi State University Digital Forensics 1

Transcription

1 Capturing RAM Alex Applegate 1

2 Overview Capture Problems Causing a Process Dump Full Manual Memory Dump Binary Block Copy Tribble Cold Boot Recovery Firewire DMA Attack 2

3 Capture Problems RAM has many pieces of important information, but is very difficult to get meaningful copies Data is very transitory, decaying in ~10ns Recent operating systems prevent direct access Data is paged into and out of memory constantly Memory sizes have increased to the point that capture takes a long time, and deep analysis is problematic When other forensic images are captured an original unmodified physical object exists RAM images are snapshots Any images captured are based on a copy, which provides its own evidentiary issues, even with hash function verification 3

4 Causing a Process Dump When fatal errors are caused in a program, the related portion of memory can be dropped into a file Limited only to the single process Cannot see into areas that the user does not have permissions Possible in some variation in all operating systems Causes a change in the state of the system 4

5 Full Manual Memory Dump Requires administrative access May not be available during corporate investigation Modifies the system state Can be difficult to associate proper user to some processes Process runs through the operating system and may not provide all data Size can make deep analysis impractical Depends on the operating system, which may be corrupted or booby trapped by malware 5

6 Binary Block Copy Uses a software tool, such as dd, win32dd, dcfldd, or commercial tools Requires modification of the system environment in RAM, and could modify the hard drive if installation is required (not recommended) Requires administrative access Captures all processes, data, unallocated areas, and RAM slack 6

7 Binary Block Copy (cont d) Slow process Memory image is as large as available RAM RAM is a file location in Linux /dev/mem process memory /dev/kmem kernel memory area Most recent versions of Linux prevent direct user access to RAM, even as root user 7

8 Block Memory Dump 8

9 Raw Data in Memory Dump 9

10 Tribble Hardware RAM capture card created by Dr. Brian Carrier and Joe Grand Logs all RAM transactions in real time from the system bus Requires no administrative access Does not change the system state Must be installed on the system beforehand 10

11 Tribble 11

12 Cold Boot Recovery First performed by team led by Princeton Univ. Applies very cold temperatures directly to RAM in order to slow data decay Liquid nitrogen experiment (-300C) retained data in RAM with almost no decay for several days Cooled RAM is removed from machine and loaded into another with a customized operating system to remove stored data Does modify the system state Not reasonably practical in most cases 12

13 Cold Boot Recovery 13

14 Firewire DMA Attack External system connects via Firewire/1394 port and copies RAM via DMA commands by masquerading as an ipod Bypasses the CPU, does not change system state Requires no user privileges Very brittle software, often results in system crash Prevented by disabling Firewire port 14

15 Firewire DMA Attack 15

16 Summary Capture Problems Causing a Process Dump Full Manual Memory Dump Binary Block Copy Tribble Cold Boot Recovery Firewire DMA Attack 16

17 Capturing RAM QUESTIONS? 17

18 REFERENCES Carrier, B.D. and J. Grand A hardwarebased memory acquisition procedure for digital investigations. Digital Investigation, vol. 1, pp