Re: Digital forensics of the physical memory

[Ben Hawkes <ben.hawkes () paradise net nz>]

On Wed, Jun 15, 2005 at 05:56:28AM -0700, Mariusz Burdach wrote:
> Hello,
>
> I have written a research paper on Digital forensics
> of the physical memory. This is an introduction to new
> area of forensics. 
>
> The objective of this document is to demonstrate
> methods that the physical memory image from the
> compromised machine can be analyzed. At the moment,
> only Linux memory image based on kernel 2.4.x is
> presented. This ?how-to? paper will try to show ways
> of enumerating processes, recovering text and
> executable files, detecting hidden processes,
> identifying processes executed in the past,
> correlating data from memory image and swap areas, and
> so on. Document is available at: 
> http://forensic.seccure.net/pdf/mburdach_digital_forensics_of_physical_memory.pdf

Firstly, the command to dump the physical memory over the network with
netcat should have used a pipe not a redirection:

# /mnt/cdrom/dd if=/dev/mem | /mnt/cdrom/nc <ip address> <port number>

The only other thing I would like to mention is the difficulty in
gathering a trustworthy image of physical memory. In fact I would go so
far as saying that this is an impossibility so long as the imaging
process relies on the host operating system. You touch on this briefly
in Chapter 2, "Problems with memory acquisition procedure", but fail to
note that the approaches you suggest (using dd or the proof of concept 
tools in idetect) can be circumvented by fairly rudimentary kernel
space anti-forensics themselves.

This is not to take away from the rest of the document which, overall,
is quite informative and probably applicable to the vast majority of
Linux intrusions seen today, but I think this is an important point to 
make nonetheless.

-- 
Ben Hawkes (fiver)
http://pie.sf.net/