Towards Carving-Based Post-Mortem Memory Forensics and the Applicability of Approximate Matching
Baier, Harald, Prof. Dr.
Baier, Harald, Prof. Dr.; Freiling, Felix, Prof. Dr.-Ing.
Date oral examination:
Computerforensik ; Fuzzy-Logik
Memory forensics is an important branch of digital forensics. Different concepts empower practitioners to perform deep analysis of potentially compromised systems by dissecting the acquired volatile memory of a target. The field mainly evolved in recent years and relies on the ambitious development of interfaces to extract and interpret structural information. In contrary, memory carving, also denoted as unstructured analysis, encompasses the extraction of artefacts or objects based on signatures or patterns. With the introduction of frameworks responsible for the complex structural interpretation of an acquired dump, researchers began to further expand the field, understandably shifting focus towards structured methodologies. Even if structured analysis undoubtedly creates the foundation for deep insights into an acquired system, the overall concept bares some pitfalls and major implementation efforts. The multilayered and complex interpretation reveals much care and constant maintenance. This need has been further increased by shorter operating system release cycles. In addition, the analysis could suffer from various inconsistencies (memory smearing) of structural information, caused by the non-atomic acquisition of a running system. The degree of atomicity usually depends on the depicted method of acquisition, e.g., the acquisition via software tools, hardware appliances or virtualization features. Another eligible argument in favour of carving-based extraction is the potential compromise of structural information by an adversary, which seems to be a viable argument considering recent research in anti-memory-forensics. In a nutshell, mentioning just a small portion of a large variety of different obstacles, it should be desirable to back structured analysis by additional concepts of unstructured analysis and to introduce different concepts of data reduction similar to those in disk forensics. Therefore, this research investigates the transferability of Approximate Matching concepts to the field of memory forensics. Those functions are usually used to determine the similarity between two input files. After giving a broad systematization of the field in terms of different criteria of research, we will discuss the transferability of existing schemes by the introduction of several contributions: First, we inspect the possibility of fast differentiating between code and data with the help of a new approach called Approximate Disassembling. In other terms, we introduce a concept for x86-64 code fragment carving. The approach will be the entry point for further discussions and extensions to existing Approximate Matching implementations. Second, we discuss the possible integration of our previously introduced dispatcher into an existing Approximate Matching technique. The required adaptations to the implementation and parametrization will be outlined. The approach will be discussed in the course of inspecting a raw memory image, i.e., for the task of identifying the running kernel version and different applications. Third, we introduce the possibility of extending an existing Approximate Matching technique with contextual extraction capabilities. In detail, techniques to carve the function start offset via common prologue sequence have been reassessed for our specific domain. Fourth, we inspect different and fairly new concepts of storing and handling extracted artefacts. The evaluation and assessment aspects of the different approaches is often denoted as Database Lookup Problem. In detail, we discuss the different implementations under aspects like common block filtration and deduplication. Last, we inspect the capabilities of our considered approaches in the course of binary matching. In detail, we adapt previously introduced techniques and discuss the performance in contrast to predominant Approximate Matching approaches. «
Memory forensics is an important branch of digital forensics. Different concepts empower practitioners to perform deep analysis of potentially compromised systems by dissecting the acquired volatile memory of a target. The field mainly evolved in recent years and relies on the ambitious development of interfaces to extract and interpret structural information. In contrary, memory carving, also denoted as unstructured analysis, encompasses the extraction of artefacts or objects based on signature... »