Memory Acquisition
Last updated
Last updated
Memory acquisition (also known as dumping, capturing, sampling).
copy the contents of the volatile memory to a non-volatile storage.
an important source to get a better understanding of what happened.
decision must be made about which data to collect and the best method for doing so:
methods and tools depend on the goals of the investigation and the characteristics of the system.
choosing a proper tool is important to avoid corrupt memory images, destroyed evidence, and limited if any, analysis capabilities.
Decisions to make:
remote or local – do you have physical access to the target system? Is it a server with no keyboard or monitor attached?
cost – do you have budget restrictions on the acquisition software you can buy?
file format – does your analysis tool support the file format of the acquisition tool?
CLI or GUI – do you prefer command-line or graphical user interface tools? A CLI tool might have a smaller footprint, besides you might not have a graphical engine running acquisition or runtime.
interrogation – Do you need a full physical memory dump or just the ability to determine the running processes, and network connections?
Before you acquire physical memory, you should always consider the risks.
most OSs do not provide a supported native mechanism for acquiring physical memory.
memory acquisition tools might leave the system unstable.
poorly written malware can be unstable and may behave unpredictably.
is the target a mission-critical system that can be shut down or rebooted only in extreme circumstances?
There might be circumstances in which the consequences (i.e., death, environmental damage) of destabilizing a system are never worth the risk.
Why memory acquisition can lead to system instabilities and evidence corruption?
atomicity – memory acquisition is not an atomic operation and the contents of RAM are constantly changing. During acquisition, other processes are writing memory, the kernel is adding/removing linked-list elements, network connections are being initiated or torn down, and so on.
cache coherency – processors were not designed to accommodate the simultaneous mapping of the same physical address with multiple cache attributes (non-cached, cached, write-combined). A poorly written acquisition tool can easily invalidate the very memory being acquired.
device memory – there are physical memory regions reserved for use by the firmware, by the ISA or PCI busses, or by various motherboard devices. Reading from one of these regions may alter the state of the device you are accessing.
few tools can acquire these regions with reliability and accuracy.
Choosing the proper time depends on several factors.
List of suggestions:
plan the acquisition when the suspect is online (or at least logged in), which can give you access to:
the suspect’s login session, information about cloud services, or remote storage.
and any encrypted documents that the suspect might have been viewing.
avoid the most active periods:
so that the suspect doesn’t detect your activity.
to minimize the number of anomalies you encounter when you analyze the evidence.
Local acquisition to removable media:
never dump memory to the target system’s local drives, such as the C: partition.
dumping memory to an external USB, ESATA, or Firewire drive.
the file system of the external drive must support file sizes equal to the amount of RAM (FAT32 has a limit of 4 GB).
advice:
removable media should be used only on one computer to avoid spreading malware.
wipe removable media before using (or re-using) it to acquire evidence.
do not plug possibly infected removable media directly into your forensic workstation, inspect it on another computer, then copy the evidence over an isolated network.
Runtime interrogation:
use automated tools that log all the performed steps.
Remote acquisition:
typically, the acquisition tool is pushed over the network to the target system.
the tool can run through a scheduled task or service.
the dump can be stored on a network share (last resort) or via a stream with Netcat, but this method has some risks.
administrator credentials and the contents of the target system’s RAM may be exposed.
create a temporary admin account and use an encrypted channel with a tool that supports TLS.
configure the firewall to limit the traffic between the target and the remote acquisition system.
the use of compression is recommended.