Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Digital forensics of the physical memory

from [George M. Garner Jr.] Network Security [Permanent Link]
Subject: RE: Digital forensics of the physical memory
Date: Sat, 18 Jun 2005 14:58:37 -0400 
Harlan, Ben,


The only other thing I would like to mention is the difficulty in 
gathering a trustworthy image of physical memory. In fact I would go 
so far as saying that this is an impossibility so long as the imaging 
process relies on the host operating system...



Based on entries I made to my blog the other day, I ended up having a 
conversation w/ someone from MS about this very issue.  The issue of using
dd.exe to image Physical Memory goes beyond the fact that there don't seem



to be any maps describing how physical memory is used by Windows systems,
and that memory used by processes consists of both RAM and the pagefile. 
Additional issues include, as you pointed out, that while the imaging 
process is occurring, the kernel memory (and even user-mode memory) is 
changing...so what you end up with is a smear, for want of a better term.


The original author does at one point use the term "image" to describe his
evidence collection process.  I think that use of this term was unfortunate
because it invites comparison with classical approaches to evidence
gathering and standards.  It is not possible to "image" a reality that is
constantly changing.  A "smear," on the other hand, is a pejorative term
which assumes that a changing reality cannot therefore be measured
accurately.  

While individual pages of physical memory change at a very rapid rate, the
overall structure of physical memory is remarkably stable and offers a basis
on which the nature of the changes may be understood.  In U.S. v.
Al-Hussayen a decrypted password was extracted from a physical memory dump
and used to show that the perp had system admin access to several websites
associated with material support to terrorist activities.  It all depends on
how you present the evidence and what you are trying to show. 

A wise man recently remarked:

"One of the things I'm seeing, or should I say, have been seeing for a
while, is a move away from the purist approach to forensics, in that actual
practitioners are moving away from the thinking that the process starts by
shutting off power to the system."

Even attempts at restating the classical approach depart from that approach
rather dramatically, without admitting so.  Compare
http://www.securityfocus.com/archive/104/400960/30/30/threaded ("...the
foundations of criminalistics and crime scene analysis are based on the
notion of 'minimizing' the introduction of changes") with Good Practices
Guide for Computer Based Electronic Evidence," 2003 ("No action taken by law
enforcement agencies or their agents should change data held on a computer
or storage media which may subsequently be relied upon in court").

One of the things that concern me is that we have an emerging practice
within the forensic and law enforcement community without any real
reflection on its theoretical or hermeneutic underpinnings.  The absence of
free and open public reflection and debate on this matter is a serious
obstacle to computer forensic aspirations of becoming a scientific
discipline.

Conventional forensic doctrine places heavy emphasis on not altering
evidence during the acquisition process.  But it does not explain the
relationship between this principle and the notion of evidentiary
reliability as this is understood in forensic science.  Aiken and Taroni
define reliability in the following manner:

"Reliability is the probability of observing strong misleading evidence.
This is related to the amount of evidence one has.  If one wishes to improve
the reliability of one's evidence then the amount collected has to be
increased.  This is intuitively reasonable."  Colin Aitken and Franco
Taroni, Statistics and the Evaluation of Evidence for Forensic Scientists.
Second Edition (Chichester 2004), 198.

Reliable evidence is evidence for which the probability of observing strong
misleading evidence is kept below a certain tolerable level.  We do not
approach this question in the abstract.  Rather, we must compare the
probability of observing strong misleading evidence with physical memory to
the probability without this analysis.  Increasingly the scale seems to be
tipping in favor of considering this so-called "new" evidence.

Regards,

George.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Digital forensics of the physical memory, Harlan Carvey
Next by Date:  RE: Digital forensics of the physical memory, Harlan Carvey
Previous by Thread:  Re: Digital forensics of the physical memory, Harlan Carvey
Next by Thread:  RE: Digital forensics of the physical memory, Harlan Carvey
Indexes:  [Date] [Thread] [Top] [All Lists]