Figure 3
Source publication
Traditionally, incident responders and digital forensic examiners have predominantly relied on live response for volatile data acquisition. While this approach is popular, memory capacity has rapidly changed, making memory a valuable resource for digital investigation, by revealing not only running tasks, but also terminated and cached processes. T...
Context in source publication
Context 1
... these steps: (1) we sent an email from each account to different receivers, (2) logged out from both accounts, (3) closed the browser, and (4) imaged the memory; the email addresses of the senders/receivers and the body of both emails were found in plain text in the memory image. Moreover, sensitive information such as user names of both accounts and their passwords were also found in the memory image (see figure 3). User names and passwords were found in memory image. ...
Citations
... 1 the live response approach 2 the memory image analysis approach (Aljaedi et al., 2011). ...
... In the live response approach, the integrity of evidence could be affected such as the cached and terminated processes, on the other hand, the terminated process is preserved in the second approach (Aljaedi et al., 2011), this study follows the second approach to minimise any additional footprint in memory, where the memory with WhatsApp processes was dumped and transferred to investigation workstation for examination. Figure 3 clarifies the experiment framework for examining WhatsApp Web/Desktop artefacts on Windows volatile memory, this experiment was conducted as described in the following steps: ...
... 1 the live response approach 2 the memory image analysis approach (Aljaedi et al., 2011). ...
... In the live response approach, the integrity of evidence could be affected such as the cached and terminated processes, on the other hand, the terminated process is preserved in the second approach (Aljaedi et al., 2011), this study follows the second approach to minimise any additional footprint in memory, where the memory with WhatsApp processes was dumped and transferred to investigation workstation for examination. Figure 3 clarifies the experiment framework for examining WhatsApp Web/Desktop artefacts on Windows volatile memory, this experiment was conducted as described in the following steps: ...
... This paper presents the challenges and future development trend of memory forensics, and puts forward the corresponding solutions. Although there are already some commercial tools, on the one hand, they treat different problems with the same standards, which is obviously not the best choice for the diversified purposes of evidence collection [2]. On the other hand, many tools are only based on the present, and do not consider the impact of memory capacity on the evidence utility of forensics results. ...
The memory of network attack and the reclusion of network crime make part of the key digital evidence only exist in physical memory or temporarily stored in the page exchange file, which makes the traditional file system-based computer forensics can not effectively deal with. Memory forensics as important supplement of traditional file system, is an important part of computer forensics science, through comprehensive access to memory data memory data, detailed analysis, based on the extraction and attack or network crime related to digital evidence, in recent years, sustained attention, memory forensics has won the security community obtained rapid development and wide application, in the network emergency response and network crime investigation play an irreplaceable role. We motivate this research from the perspective of the key points and core elements involved in memory forensics analysis. This paper presents a comprehensive theoretical exposition and framework analysis on memory forensics, combined with the practice of specific tools.
... Some tools require pre-incident deployment, which is not always possible if the incident has already occurred. Aljaedi et al. [13] demonstrated how post-incident tools usually lead to a decrease in the integrity of the snapshot, as some of the memory is overwritten by the tool itself. The last dimension of the taxonomy differentiates terminating and non-terminating acquisition tools. ...
The collection and analysis of volatile memory is a vibrant area of research in the cybersecurity community. The ever-evolving and growing threat landscape is trending towards fileless malware, which avoids traditional detection but can be found by examining a system’s random access memory (RAM). Additionally, volatile memory analysis offers great insight into other malicious vectors. It contains fragments of encrypted files’ contents, as well as lists of running processes, imported modules, and network connections, all of which are difficult or impossible to extract from the file system. For these compelling reasons, recent research efforts have focused on the collection of memory snapshots and methods to analyze them for the presence of malware. However, to the best of our knowledge, no current reviews or surveys exist that systematize the research on both memory acquisition and analysis. We fill that gap with this novel survey by exploring the state-of-the-art tools and techniques for volatile memory acquisition and analysis for malware identification. For memory acquisition methods, we explore the trade-offs many techniques make between snapshot quality, performance overhead, and security. For memory analysis, we examined the traditional forensic methods used, including signature-based methods, dynamic methods performed in a sandbox environment, as well as machine learning-based approaches. We summarize the currently available tools, and suggest areas for more research.
... The problem of live memory forensics is that the comparable memory is large. Therefore, changes occur while the forensic analysis is running, causing anomalies [38]. Unlike our method, independent memory acquisition and analysis are not capable of understanding context and are vulnerable to detection anomalies. ...
This paper presents an improvement of control flow attestation (C-FLAT) for Linux. C-FLAT is a control attestation system for embedded devices. It was implemented as a software executing in ARM’s TrustZone on bare-metal devices. We extend the design and implementation of C-FLAT through the use of a type 2 Nanovisor in the Linux operating system. We call our improved system “C-FLAT Linux”. Compared to the original C-FLAT, C-FLAT Linux reduces processing overheads and is able to detect the SlowLoris attack. We describe the architecture of C-FLAT Linux and provide extensive measurements of its performance in benchmarks and real-world scenarios. In addition, we demonstrate the detection of the SlowLoris attack on the Apache web server.
... For data storage that uses steady memory or nonvolatile memory as the media. Organizationally and computer architecture, in this case is the CPU (central processing unit) consisting of core components in the form of a Processor, Random Access Memory (RAM), as well as non-volatile storage media in the form of storage which is often called a hard disk [9]. Storage itself [10] is currently divided into two specifications, namely HDD (Harddisk Drive) and SDD (Solid State Drive). ...
In the implementation of Digital Forensics, one of the derivatives of practice is the handling of Digital Evidence. Handling Digital Evidence requires important steps and procedures. Digital evidence is a source of artifacts in handling a digital-based crime case, one of which comes from digital storage. In this research, the author will design a framework for Digital Forensic investigations by simulating digital evidence in the form of a non-volatile architecture. The reference commonly used by researchers in previous articles is the National Institute of Justice (NIST). The framework is a reference and steps in the practice of acquiring digital evidence. The purpose of designing this framework is as a legal procedure that is specifically implemented in the practice of acquiring non-volatile digital evidence. In the design, the author conducted a literature study on the NIST SP 800-86 and ISO 27037:2012 standards and then combined them in a hybrid terminology. The output of this research is to combine the two standards to become framework as reference for handling and investigating Digital Forensic science.
... Memory forensic techniques increase day by day from a string search to deep search, memory structural analysis, operating systems analysis, etc. Several researchers worked on different technologies of computer forensics such as: memory forensics [32], [33], [34], [35], [36], volatile memory [35], [37], [38], [39], [40], [41], log forensics [42], [43], [44], [45], [46], [47], operating system [48], [49], [50], [51], [52], [53] etc. Table 2 presents the literature review of current research work in the areas of memory forensics, computer forensics, IoT forensics, and log forensics. ...
... Memory forensic techniques increase day by day from a string search to deep search, memory structural analysis, operating systems analysis, etc. Several researchers worked on different technologies of computer forensics such as: memory forensics [32], [33], [34], [35], [36], volatile memory [35], [37], [38], [39], [40], [41], log forensics [42], [43], [44], [45], [46], [47], operating system [48], [49], [50], [51], [52], [53] etc. Table 2 presents the literature review of current research work in the areas of memory forensics, computer forensics, IoT forensics, and log forensics. ...
... This feature is supported by every tool mentioned in Table 9. • Slack space: If a tool can look in space reserved for a data structure where part of it is not currently in use and contains the left-overs of previously existing data, it may lead to evidence [123]. This feature is available in every tool shown in Table 9. • Static or live analysis: The live analysis is performed on critical systems that should not be powered off, or a longer time is required to image RAM of large size [35]. It is inherently inconsistent but somehow useful against anti-forensic techniques, affecting the static analysis [124]. ...
With the alarmingly increasing rate of cybercrimes worldwide, there is a dire need to combat cybercrimes timely and effectively. Cyberattacks on computing machines leave certain artifacts on target device storage that can reveal the identity and behavior of cyber-criminals if processed and analyzed intelligently. Forensic agencies and law enforcement departments use several digital forensic toolkits, both commercial and open-source, to examine digital evidence. The proposed research survey focuses on identifying the current state-of-the-art digital forensics concepts in existing research, sheds light on research gaps, presents a detailed introduction of different computer forensic domains and forensic toolkits used for computer forensics in the current era. The proposed survey also presents a comparative analysis based on the tool’s characteristics to facilitate investigators in tool selection during the forensics process. Finally, the proposed survey identifies and derives current challenges and future research directions in computer forensics.
... RAM data recovery provides useful artefacts from virtual machines for the forensic analysis phase of investigation (Aljaedi et al., 2011). Converting the RAM data into a memory image allows situational analysis up to the buffer limits. ...
... The RAM holds the information in the memory blocks when powered and is lost when the main power is off and with no backup supply. RAM is Volatile memory that requires live acquisition (Aljaedi et al., 2011;Periyadi, Mutiara and Wijaya, 2017). The Volatile data changes continuously, and is often unstructured; therefore, it is more difficult to analyse and understand (Aljaedi et al., 2011;Dykstra and Sherman, 2012;Joseph and Norman, 2020). ...
... RAM is Volatile memory that requires live acquisition (Aljaedi et al., 2011;Periyadi, Mutiara and Wijaya, 2017). The Volatile data changes continuously, and is often unstructured; therefore, it is more difficult to analyse and understand (Aljaedi et al., 2011;Dykstra and Sherman, 2012;Joseph and Norman, 2020). However, system utilization data and process content data are available in RAM, and in large quantities in current RAM technologies. ...
The challenge and problem for network investigators is that many of the data repositories are now virtualized and Cloud distributed. This paper reviews the extraction of evidence from virtualized RAM in the Cloud context on two virtual machines. Such evidence informs network system fault correction, and attack diagnosis. The contribution of this research is to promote an awareness of valuable evidence held in Cloud virtual machines, where it is located, and the extraction tools kits required. A challenge for network investigators is the variation in distributed network architecture and protocols. There is little consistency in the Cloud environment beyond proprietary dominance of Cloud services, and vendor virtualization provisions. This exploratory research takes up this challenge and demonstrates a working solution to the extraction of data in Cloud distributed networks.
... Such stabilized system then allows clear communication and the computing functionality for the intended purposes. One element of network management is recovery [2]. Systems are destabilized by a full range of failures that cost system resources to return equilibrium. ...
... Acquiring memory dumps in today's networks requires access to cloud virtual machines and analysis of the multiple instances of processes, memory, and logs [2,12,13]. The scope of this new task extends previous investigation theory and challenges both technical and legal requirements for performance. ...
... RAM data recovery provides useful artefacts from virtual machines for the forensic analysis phase of investigation [2]. Converting the RAM data into a memory image allows situational analysis up to the buffer limits. ...
forensic actions are taken to determine causes ofsystem failure and to diagnose network security breaches. Thechallenge and problem for network investigators is that many ofthe data repositories are now virtualized and Cloud distributed.The requirement is to devise effective and systematic methodsfor data acquisition that are robust in the new networkingcontexts and sufficiently comprehensive for fault determination.This paper reports the extraction of evidence from virtualizedRAM in the Cloud context on a virtual machine. Such evidenceinforms network system fault correction, and attack diagnosis.The contribution of this research is to promote an awareness ofvaluable evidence held in Cloud virtual machines, where it islocated, and the extraction tools. The new data collection scopefor network investigators is thus demonstrated in the Cloudnetwork context.
(PDF) Data Acquisition from Cloud Network Storage. Available from: https://www.researchgate.net/publication/357358070_Data_Acquisition_from_Cloud_Network_Storage [accessed Mar 22 2022].
... Volatility [12,9] is an open-source (GPLv2) framework for analysing memory [5]. It is a forensics toolkit used to analyze memory snapshots. ...
Cyber forensics use memory acquisition in advanced forensics and malware analysis. We propose a hypervisor based memory acquisition tool. Our implementation extends the volatility memory forensics framework by reducing the processor's consumption, solves the in-coherency problem in the memory snapshots and mitigates the pressure of the acquisition on the network and the disk. We provide benchmarks and evaluation.
