Security Incidents mailing list archives
RE: Digital forensics of the physical memory
From: "George M. Garner Jr." <gmgarner () erols com>
Date: Sat, 18 Jun 2005 14:58:37 -0400
Harlan, Ben,
The only other thing I would like to mention is the difficulty in gathering a trustworthy image of physical memory. In fact I would go so far as saying that this is an impossibility so long as the imaging process relies on the host operating system...
Based on entries I made to my blog the other day, I ended up having a conversation w/ someone from MS about this very issue. The issue of using dd.exe to image Physical Memory goes beyond the fact that there don't seem
to be any maps describing how physical memory is used by Windows systems, and that memory used by processes consists of both RAM and the pagefile. Additional issues include, as you pointed out, that while the imaging process is occurring, the kernel memory (and even user-mode memory) is changing...so what you end up with is a smear, for want of a better term.
The original author does at one point use the term "image" to describe his evidence collection process. I think that use of this term was unfortunate because it invites comparison with classical approaches to evidence gathering and standards. It is not possible to "image" a reality that is constantly changing. A "smear," on the other hand, is a pejorative term which assumes that a changing reality cannot therefore be measured accurately. While individual pages of physical memory change at a very rapid rate, the overall structure of physical memory is remarkably stable and offers a basis on which the nature of the changes may be understood. In U.S. v. Al-Hussayen a decrypted password was extracted from a physical memory dump and used to show that the perp had system admin access to several websites associated with material support to terrorist activities. It all depends on how you present the evidence and what you are trying to show. A wise man recently remarked: "One of the things I'm seeing, or should I say, have been seeing for a while, is a move away from the purist approach to forensics, in that actual practitioners are moving away from the thinking that the process starts by shutting off power to the system." Even attempts at restating the classical approach depart from that approach rather dramatically, without admitting so. Compare http://www.securityfocus.com/archive/104/400960/30/30/threaded ("...the foundations of criminalistics and crime scene analysis are based on the notion of 'minimizing' the introduction of changes") with Good Practices Guide for Computer Based Electronic Evidence," 2003 ("No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court"). One of the things that concern me is that we have an emerging practice within the forensic and law enforcement community without any real reflection on its theoretical or hermeneutic underpinnings. The absence of free and open public reflection and debate on this matter is a serious obstacle to computer forensic aspirations of becoming a scientific discipline. Conventional forensic doctrine places heavy emphasis on not altering evidence during the acquisition process. But it does not explain the relationship between this principle and the notion of evidentiary reliability as this is understood in forensic science. Aiken and Taroni define reliability in the following manner: "Reliability is the probability of observing strong misleading evidence. This is related to the amount of evidence one has. If one wishes to improve the reliability of one's evidence then the amount collected has to be increased. This is intuitively reasonable." Colin Aitken and Franco Taroni, Statistics and the Evaluation of Evidence for Forensic Scientists. Second Edition (Chichester 2004), 198. Reliable evidence is evidence for which the probability of observing strong misleading evidence is kept below a certain tolerable level. We do not approach this question in the abstract. Rather, we must compare the probability of observing strong misleading evidence with physical memory to the probability without this analysis. Increasingly the scale seems to be tipping in favor of considering this so-called "new" evidence. Regards, George.
Current thread:
- Digital forensics of the physical memory Mariusz Burdach (Jun 15)
- Re: Digital forensics of the physical memory Ben Hawkes (Jun 17)
- Re: Digital forensics of the physical memory Mariusz Burdach (Jun 17)
- Re: Digital forensics of the physical memory Harlan Carvey (Jun 17)
- RE: Digital forensics of the physical memory George M. Garner Jr. (Jun 18)
- RE: Digital forensics of the physical memory Harlan Carvey (Jun 20)
- Re: Digital forensics of the physical memory David Pick (Jun 20)
- Moderator's note: Re: Digital forensics of the physical memory Daniel Hanson (Jun 20)
- part deux, was -> RE: Digital forensics of the physical memory Harlan Carvey (Jun 20)
- Re: part deux, was -> RE: Digital forensics of the physical memory Ben Hawkes (Jun 20)
- Re: Digital forensics of the physical memory Ben Hawkes (Jun 17)