RE: Digital forensics of the physical memory

["George M. Garner Jr." <gmgarner () erols com>]

Harlan, Ben,

> The only other thing I would like to mention is the difficulty in 
> gathering a trustworthy image of physical memory. In fact I would go 
> so far as saying that this is an impossibility so long as the imaging 
> process relies on the host operating system...

> Based on entries I made to my blog the other day, I ended up having a 
> conversation w/ someone from MS about this very issue.  The issue of using
> dd.exe to image Physical Memory goes beyond the fact that there don't seem

> to be any maps describing how physical memory is used by Windows systems,
> and that memory used by processes consists of both RAM and the pagefile. 
> Additional issues include, as you pointed out, that while the imaging 
> process is occurring, the kernel memory (and even user-mode memory) is 
> changing...so what you end up with is a smear, for want of a better term.

The original author does at one point use the term "image" to describe his
evidence collection process.  I think that use of this term was unfortunate
because it invites comparison with classical approaches to evidence
gathering and standards.  It is not possible to "image" a reality that is
constantly changing.  A "smear," on the other hand, is a pejorative term
which assumes that a changing reality cannot therefore be measured
accurately.  

While individual pages of physical memory change at a very rapid rate, the
overall structure of physical memory is remarkably stable and offers a basis
on which the nature of the changes may be understood.  In U.S. v.
Al-Hussayen a decrypted password was extracted from a physical memory dump
and used to show that the perp had system admin access to several websites
associated with material support to terrorist activities.  It all depends on
how you present the evidence and what you are trying to show. 

A wise man recently remarked:

"One of the things I'm seeing, or should I say, have been seeing for a
while, is a move away from the purist approach to forensics, in that actual
practitioners are moving away from the thinking that the process starts by
shutting off power to the system."

Even attempts at restating the classical approach depart from that approach
rather dramatically, without admitting so.  Compare
http://www.securityfocus.com/archive/104/400960/30/30/threaded ("...the
foundations of criminalistics and crime scene analysis are based on the
notion of 'minimizing' the introduction of changes") with Good Practices
Guide for Computer Based Electronic Evidence," 2003 ("No action taken by law
enforcement agencies or their agents should change data held on a computer
or storage media which may subsequently be relied upon in court").

One of the things that concern me is that we have an emerging practice
within the forensic and law enforcement community without any real
reflection on its theoretical or hermeneutic underpinnings.  The absence of
free and open public reflection and debate on this matter is a serious
obstacle to computer forensic aspirations of becoming a scientific
discipline.

Conventional forensic doctrine places heavy emphasis on not altering
evidence during the acquisition process.  But it does not explain the
relationship between this principle and the notion of evidentiary
reliability as this is understood in forensic science.  Aiken and Taroni
define reliability in the following manner:

"Reliability is the probability of observing strong misleading evidence.
This is related to the amount of evidence one has.  If one wishes to improve
the reliability of one's evidence then the amount collected has to be
increased.  This is intuitively reasonable."  Colin Aitken and Franco
Taroni, Statistics and the Evaluation of Evidence for Forensic Scientists.
Second Edition (Chichester 2004), 198.

Reliable evidence is evidence for which the probability of observing strong
misleading evidence is kept below a certain tolerable level.  We do not
approach this question in the abstract.  Rather, we must compare the
probability of observing strong misleading evidence with physical memory to
the probability without this analysis.  Increasingly the scale seems to be
tipping in favor of considering this so-called "new" evidence.

Regards,

George.