Cybersecurity : Challenges in Memory Forensics

In the world of digital forensics, memory forensics is arguably the most interesting and fruitful realm. Memory forensics involves analyzing the data stored in the physical memory at operating system runtime. Its primary application is in the investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer hard drive. Consequently, the memory (RAM) must be analyzed for forensic information. Each and every function performed by an application or operating system results in a special kind of change to the random access memory. These changes often stay for a long time after completion of the operation, crucially storing them. Furthermore, memory forensics provides unprecedented visibility into the runtime state of the system, such as which processes were running, open network connections, and recently executed commands. Individuals can perform an extraction of these artifacts that is totally independent of the machine being investigated. It also reduces the chance of rootkits or malware preventing the investigation process. Crucial data may exist exclusively in memory, such as unencrypted e-mail messages, disk encryption keys, non-cacheable internet history records, off-the-record chat messages and memory-resident injected code fragments.

Challenges to Perform Memory Forensics

There are many challenges to perform memory forensics, including the following.

• Evaluating the diverse memory acquisition tools available, which perform differently depending on the operating system version, installed hardware and the configurations.
• If the termination character cannot be found. Consider the situation in which, analyzing the physical address space of a system that leverages paged virtual memory, a string is encountered that crosses a page boundary to a page that is no longer memory resident, which would require special processing or heuristics to determine the actual size of the string.
• The challenges faced during linked list analysis also apply with the analysis of memory trees.
• Memory evidence is often found on non-volatile media and comes in various shapes and sizes. As a cyber security expert, one must be aware of the different formats and the procedure of converting one format into another.
• When the system is powered off, the whole disk, individual partition, or virtual file-based containers are encrypted. This protection results in serious challenges for investigators, even if they gain access to the media

Source for more reading:

H. Gohel, H. Upadhyay, "Security Corner : Cyber Threat Analysis with Memory Forensics" CSI Communications - Knowledge Digest for IT Community, Vol.40, Issue.11, pp.17-19,2017