When performing an acquisition of a live machine, an examiner has the opportunity obtain information relating to the current state of the system by way of creating an image of physical memory. This would not be possible if the machine was powered off because of the volatile nature of RAM. Keeping the machine powered during the acquisition process is imperative because of this volatility. Capturing data located in physical memory at the time of acquisition gives an investigator the ability to view data relating to current running programs, email, images, documents, etc. A physical memory analysis will uncover any processes or data that is being handled by the operating system. This analysis can uncover artifacts that demonstrate the intention of the user by reconstructing what activities are currently present on the system.
Tools and procedures used to acquire an image of physical memory on a live machine approach the task with a number of concerns. The most important issue when performing an acquisition on either a live or static system is data integrity. The process or tool being in any forensic situation cannot alter the data in such a way to compromise artifacts. This idea is also applied to acquiring an image of physical memory on a live system. The tool being used needs to have as small of a footprint as possible so not to interact with other process and data residing in memory. While the act of running an application to interact with physical memory will itself need to reside in memory, the tool should read the remaining memory data without writing to other locations in memory.
Carrier and Grand outline requirements that make up a good imaging tool:
The acquisition tool shall read all digital data from a source and write them to a non-volatile destination location. The destination, called an image, shall be in an accessible format.The tool shall not cause data to be written to the source.The tool shall follow a documented procedure that includes the steps that it performs and the hardware and software resources that it uses to read the source data.If there are I/O errors while reading the source data, the tool shall write a specified value to the corresponding locations in the image. The tool shall log the type and location of the error in an accessible format.If the destination of the data is larger than the source, the tool shall identify the start and end locations of the source data within the destination.If the destination of the data is smaller than the source, the tool shall notify the user and either abort or copy as much data as possible into the destination.The tool shall provide documentation that is correct.
Memory Imaging Software Tools
Windows:
Belkasoft Live RAM Capture
Windows SCOPE Pro
Windows SCOPE Live
Winen.exe (Encase6.11+ and Helix 2.0)
Mdd
MANDIANT Memoryze
Kntdd
Moonsols
Fastdump
FTK Imager
OSForensics
WinPmem
Windows Memory Reader
Linux:
LiME
Linux Memory Grabber
Second Look: Linux Memory Forensics
Fmem
Imap
Pmem
Mac OS X:
Goldfish
Mac Memory Reader
OSXPMem
Virtual:
Qemu
Xen
While a software based approach to acquiring an image of physical memory can prove to be a reliable method of acquisition, a hardware based approach could be considered more forensically sound. While using a software tool, other processes running on the system could possibly misdirect the tool to hide areas of memory that might be incriminating. This method of antiforensics is known as Direct Object Manipulation and can thwart a software based tool that uses a list-walking method to transverse through memory (blackhat). A hardware based approach is less susceptible to antiforensics in that it “suspend[s]… the computer’s processor and use[s]… direct memory access (DMA) to obtain a copy of memory”. This method relies less on the resources of the computer to render evidence, lessening the chance of those resources compromising evidence.
Amari, K. (2009, March 26). InfoSec Reading Room. Retrieved from SANS: http://www.sans.org/reading-room/whitepapers/forensics/techniques-tools-recovering-analyzing-data-volatile-memory-33049
Carrier, B. D., & Grand, J. (2010). Retrieved from dator8: http://dator8.info/2010/19.pdf
Walters, A., & Petroni, N. L. (2007). Media Archives. Retrieved from Blackhat: https://www.blackhat.com/presentations/bh-dc-07/Walters/Paper/bh-dc-07-Walters-WP.pdf