10:46 a.m.
This post is not specifically about Volatility; however, I know that the
topic will be of interest to many list members. Reliable memory
analysis depends on reliable memory acquisition. No matter how good an
analysis tool is, it can only analyze what is in the memory "dump." If
the memory acquisition tool produces an incomplete or erroneous memory
dump the analysis will also fail or be misleading. It is thus with
pleasure that I note the progress that is being made toward developing a
critical framework for evaluating and testing memory acquisition tools.
The latest contribution is by Stefan Vömel and Johannes Stüttgen whose
paper, "An evaluation platform for forensic memory acquisition software"
was presented at the recent DFRWS conference and may be downloaded from
the following link:
http://www.dfrws.org/2013/proceedings/DFRWS2013-11.pdf.
The authors adopt an approach which they call "white-box testing"
whereby the authors modify the source code for various open source tools
(win32dd, mdd, winpmem) to insert hypercalls at various locations in the
acquisition process. The hypercalls inform the test platform of various
important system events and operations and inspect the state of the
subject system at the moment of the hypercall. The state as recorded by
the hypercalls is then used as a metric to evaluate the reliability
(i.e. "correctness") of the tool which is under test.
The approach has a number of significant limitations which the authors
acknowledge, the most significant of which is that they require the
source code which must be modified in order to perform the test. Most
commercial tool vendors do not provide the source code to their memory
acquisition tools. Even one of the open source tools tested by Vömel
and Stüttgen, win32dd, is an old version of the current closed-source
Moonsols tool which contains many bug fixes which are not in the open
source precursor. As far as I am aware the MDD tool is no longer
supported or under active development. Michael Cohen's winpmem is the
only currently supported tool that the authors were able to test.
Another significant limitation is that the test platform is tied to a
highly customized version of the Bochs x86 PC emulator. The test
platform is restricted to 32-bit versions of Windows with not more than
2 GiB of memory. The acquisition of physical memory from systems
equipped with more than 4 GiB of memory and from 64-bit versions of
Microsoft Windows are areas where memory acquisition tool vendors have
stumbled in the past. Possibly all contemporary memory acquisition
tools handle 64-bit systems and systems with more than 4 GiB of memory
correctly; however, we would like to be able to test this and not rely
solely on faith.
One limitation which the authors do not discuss is the impact of
restricting the test platform to a particular VM (i.e. Bochs). In our
experience VMs provide a much more highly predictable and stable
environment than real hardware and may not be a good indication of how a
memory acquisition tool will perform on real hardware. In addition, as
was mentioned previously on this list, different VM manufacturers have
chosen to emulate very different PC designs. How a tool performs on
VMWare may not be a good indicator of how the same tool will perform on
Microsoft Hyper-V or VirtualBox or KVM.
Also, the authors do not acknowledge the possibility that memory
acquisition tools may perform differently on different versions of the
Microsoft operating system. Each new version of the Microsoft operating
system has brought changes to the Windows memory manager, in some cases
significant changes. Currently, we are (out of necessity) using
acquisition methods that differ in varying degrees on Microsoft Windows
XP, Windows 2003 SP1 and later, Windows Vista, Windows 7 and Windows 8.
For Windows 8.1 Preview we have found it necessary to invent new
methods that are different from all of the methods which we previously
employed.
Finally, the authors do not articulate the theoretical framework for
forensic volatile memory acquisition which serves as the basis for their
notion of "correctness." Historically, computer forensic experts have
evaluated the acquisition of volatile memory as an "imaging" process.
Most computer forensic experts were familiar with the imaging of "dead"
hard drives. It was natural to assume memory acquisition was doing much
the same thing. The problem is that a running computer system is by
nature a stochastic process (more precisely, it is a "continuous time
stochastic process") which cannot be "imaged." It can only be sampled.
Sampling is a common technique in forensic science, other than in
computer forensics. Computer forensics is somewhat unique among
forensic "sciences" in its almost exclusive reliance upon "imaging" as
a
standard of reliability. It is difficult not to note the severe tension
which exists between this theoretic framework and the reality of modern
computer design. Not only is "live" imaging of hard drives now
commonplace for practical reasons (which equally aren't true images) but
also, as we now know, a hard drive is an embedded computer system which
may alter the physical layout of data on the disks any time power is
applied to the drive.
The theoretical approach which we have advocated (see, e.g. Garner, Maut
Design Document (unpublished manuscript, 2011), is to view volatile
memory acquisition as a process of sampling the state of a
continuous-time stochastic process. We further propose to use the
structural elements created by the operating system and the hardware as
a metric to evaluate the reliability of the sampling process. We
believe that these structural elements may be used for this purpose
because they possess the Markhov property. Their future state is
predictable, depending entirely on their present state and is
conditionally independent of the past. A sample is said to be reliable
when it is "representative" of the entire population. In other words, a
sample is reliable with respect to a specific issue of material fact if
an inference drawn upon the basis of the sample will arrive at the same
conclusion as if the inference were drawn upon the basis of the entire
population.
The authors appear to assume the tradition "imaging" framework for
volatile computer memory acquisition, however, this assumption should be
stated since the entire rest of the paper depends on it.
In conclusion, this paper makes an important contribution to a topic
that is important for the future of computer forensics. However, the
authors need to better articulate their assumptions. Development of a
professional memory forensic tool testing platform will require the
development of a test enviroment which overcomes the current limitations.
Regards,
George M. Garner Jr.
President
GMG Systems, Inc.
1:04 p.m.
New subject: An evaluation platform for forensic memory acquisition software.
Interesting message, especially the part explaining the differences between
imaging and sampling.
I also contacted the authors and express my feelings about the lack of
accuracy of the document, and explained at the same time that the
highlighted "flaws" aren't really new or unique and that it would have been
been for the authors to also mentioned to non-developers who will read this
paper thinking they are providing solutions that as long as you are using
software acquisition based *regardless* of the acquisition methods you
gonna use, if you are running as the same level of above any malicious
program you are *always* running under a risk and there is *no* solutions
to that.
If an attacker has (physical) access to your box, it's game over.
Best,
On Mon, Aug 12, 2013 at 7:46 AM, George M. Garner Jr. <
ggarner_online(a)gmgsystemsinc.com> wrote:
This post is not specifically about Volatility;
however, I know that the
topic will be of interest to many list members. Reliable memory analysis
depends on reliable memory acquisition. No matter how good an analysis
tool is, it can only analyze what is in the memory "dump." If the memory
acquisition tool produces an incomplete or erroneous memory dump the
analysis will also fail or be misleading. It is thus with pleasure that I
note the progress that is being made toward developing a critical framework
for evaluating and testing memory acquisition tools. The latest
contribution is by Stefan Vömel and Johannes Stüttgen whose paper, "An
evaluation platform for forensic memory acquisition software" was presented
at the recent DFRWS conference and may be downloaded from the following
link:
http://www.dfrws.org/2013/**proceedings/DFRWS2013-11.pdf<http://www.dfrw…
.
The authors adopt an approach which they call "white-box testing" whereby
the authors modify the source code for various open source tools (win32dd,
mdd, winpmem) to insert hypercalls at various locations in the acquisition
process. The hypercalls inform the test platform of various important
system events and operations and inspect the state of the subject system at
the moment of the hypercall. The state as recorded by the hypercalls is
then used as a metric to evaluate the reliability (i.e. "correctness") of
the tool which is under test.
The approach has a number of significant limitations which the authors
acknowledge, the most significant of which is that they require the source
code which must be modified in order to perform the test. Most commercial
tool vendors do not provide the source code to their memory acquisition
tools. Even one of the open source tools tested by Vömel and Stüttgen,
win32dd, is an old version of the current closed-source Moonsols tool which
contains many bug fixes which are not in the open source precursor. As far
as I am aware the MDD tool is no longer supported or under active
development. Michael Cohen's winpmem is the only currently supported tool
that the authors were able to test.
Another significant limitation is that the test platform is tied to a
highly customized version of the Bochs x86 PC emulator. The test platform
is restricted to 32-bit versions of Windows with not more than 2 GiB of
memory. The acquisition of physical memory from systems equipped with more
than 4 GiB of memory and from 64-bit versions of Microsoft Windows are
areas where memory acquisition tool vendors have stumbled in the past.
Possibly all contemporary memory acquisition tools handle 64-bit systems
and systems with more than 4 GiB of memory correctly; however, we would
like to be able to test this and not rely solely on faith.
One limitation which the authors do not discuss is the impact of
restricting the test platform to a particular VM (i.e. Bochs). In our
experience VMs provide a much more highly predictable and stable
environment than real hardware and may not be a good indication of how a
memory acquisition tool will perform on real hardware. In addition, as was
mentioned previously on this list, different VM manufacturers have chosen
to emulate very different PC designs. How a tool performs on VMWare may
not be a good indicator of how the same tool will perform on Microsoft
Hyper-V or VirtualBox or KVM.
Also, the authors do not acknowledge the possibility that memory
acquisition tools may perform differently on different versions of the
Microsoft operating system. Each new version of the Microsoft operating
system has brought changes to the Windows memory manager, in some cases
significant changes. Currently, we are (out of necessity) using
acquisition methods that differ in varying degrees on Microsoft Windows XP,
Windows 2003 SP1 and later, Windows Vista, Windows 7 and Windows 8. For
Windows 8.1 Preview we have found it necessary to invent new methods that
are different from all of the methods which we previously employed.
Finally, the authors do not articulate the theoretical framework for
forensic volatile memory acquisition which serves as the basis for their
notion of "correctness." Historically, computer forensic experts have
evaluated the acquisition of volatile memory as an "imaging" process. Most
computer forensic experts were familiar with the imaging of "dead" hard
drives. It was natural to assume memory acquisition was doing much the
same thing. The problem is that a running computer system is by nature a
stochastic process (more precisely, it is a "continuous time stochastic
process") which cannot be "imaged." It can only be sampled. Sampling is
a
common technique in forensic science, other than in computer forensics.
Computer forensics is somewhat unique among forensic "sciences" in its
almost exclusive reliance upon "imaging" as a standard of reliability. It
is difficult not to note the severe tension which exists between this
theoretic framework and the reality of modern computer design. Not only is
"live" imaging of hard drives now commonplace for practical reasons (which
equally aren't true images) but also, as we now know, a hard drive is an
embedded computer system which may alter the physical layout of data on the
disks any time power is applied to the drive.
The theoretical approach which we have advocated (see, e.g. Garner, Maut
Design Document (unpublished manuscript, 2011), is to view volatile memory
acquisition as a process of sampling the state of a continuous-time
stochastic process. We further propose to use the structural elements
created by the operating system and the hardware as a metric to evaluate
the reliability of the sampling process. We believe that these structural
elements may be used for this purpose because they possess the Markhov
property. Their future state is predictable, depending entirely on their
present state and is conditionally independent of the past. A sample is
said to be reliable when it is "representative" of the entire population.
In other words, a sample is reliable with respect to a specific issue of
material fact if an inference drawn upon the basis of the sample will
arrive at the same conclusion as if the inference were drawn upon the basis
of the entire population.
The authors appear to assume the tradition "imaging" framework for
volatile computer memory acquisition, however, this assumption should be
stated since the entire rest of the paper depends on it.
In conclusion, this paper makes an important contribution to a topic that
is important for the future of computer forensics. However, the authors
need to better articulate their assumptions. Development of a professional
memory forensic tool testing platform will require the development of a
test enviroment which overcomes the current limitations.
Regards,
George M. Garner Jr.
President
GMG Systems, Inc.
______________________________**_________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilesystems.**com/mailman/listinfo/vol-users<http://lis…
1:33 p.m.
Just a quick remark:
I think you are referring to my anti-forensics paper [1]. George
commented on Stefan and my evaluation paper [2], which is something
completely different.
I do agree with you that I should have made it clearer in the paper that
we are not targeting individual tools, especially not since you
generously allowed us to use your software for evaluation. Of course the
"flaws" we target are nothing new (we do mention this in the paper and
even refer to the relevant publications). However they are still present
in current acquisition tools (7 years after the initial publication of
Darrens ddefy) Our contribution is mainly to "further the state of the
art by developing more robust solutions, thereby increasing the
complexity required by the attacker to effectively bypass forensic
tools" [1]. So the only thing we wanted to achieve is to raise the bar
for a kernel mode attacker to subvert memory acquisition.
I have tried to communicate this more explicitly in the presentation I
gave at DFRWS last Wednesday, so anyone reading the paper for the first
time feel free to also look at the slides [3].
Best,
Johannes
[1] http://www.dfrws.org/2013/proceedings/DFRWS2013-13.pdf
[2] http://www.dfrws.org/2013/proceedings/DFRWS2013-11.pdf
[3] https://docs.google.com/file/d/0B-h1CwrfZamOazBBTXFteHh3N2c
On 08/12/2013 10:04 AM, Matthieu Suiche wrote:
Interesting message, especially the part explaining
the differences
between imaging and sampling.
I also contacted the authors and express my feelings about the lack of
accuracy of the document, and explained at the same time that the
highlighted "flaws" aren't really new or unique and that it would have
been been for the authors to also mentioned to non-developers who will
read this paper thinking they are providing solutions that as long as
you are using software acquisition based *regardless* of the
acquisition methods you gonna use, if you are running as the same
level of above any malicious program you are *always* running under a
risk and there is *no* solutions to that.
If an attacker has (physical) access to your box, it's game over.
Best,
On Mon, Aug 12, 2013 at 7:46 AM, George M. Garner Jr.
<ggarner_online(a)gmgsystemsinc.com
<mailto:ggarner_online@gmgsystemsinc.com>> wrote:
This post is not specifically about Volatility; however, I know
that the topic will be of interest to many list members. Reliable
memory analysis depends on reliable memory acquisition. No matter
how good an analysis tool is, it can only analyze what is in the
memory "dump." If the memory acquisition tool produces an
incomplete or erroneous memory dump the analysis will also fail or
be misleading. It is thus with pleasure that I note the progress
that is being made toward developing a critical framework for
evaluating and testing memory acquisition tools. The latest
contribution is by Stefan Vömel and Johannes Stüttgen whose paper,
"An evaluation platform for forensic memory acquisition software"
was presented at the recent DFRWS conference and may be downloaded
from the following link:
http://www.dfrws.org/2013/proceedings/DFRWS2013-11.pdf.
The authors adopt an approach which they call "white-box testing"
whereby the authors modify the source code for various open source
tools (win32dd, mdd, winpmem) to insert hypercalls at various
locations in the acquisition process. The hypercalls inform the
test platform of various important system events and operations
and inspect the state of the subject system at the moment of the
hypercall. The state as recorded by the hypercalls is then used
as a metric to evaluate the reliability (i.e. "correctness") of
the tool which is under test.
The approach has a number of significant limitations which the
authors acknowledge, the most significant of which is that they
require the source code which must be modified in order to perform
the test. Most commercial tool vendors do not provide the source
code to their memory acquisition tools. Even one of the open
source tools tested by Vömel and Stüttgen, win32dd, is an old
version of the current closed-source Moonsols tool which contains
many bug fixes which are not in the open source precursor. As far
as I am aware the MDD tool is no longer supported or under active
development. Michael Cohen's winpmem is the only currently
supported tool that the authors were able to test.
Another significant limitation is that the test platform is tied
to a highly customized version of the Bochs x86 PC emulator. The
test platform is restricted to 32-bit versions of Windows with not
more than 2 GiB of memory. The acquisition of physical memory
from systems equipped with more than 4 GiB of memory and from
64-bit versions of Microsoft Windows are areas where memory
acquisition tool vendors have stumbled in the past. Possibly all
contemporary memory acquisition tools handle 64-bit systems and
systems with more than 4 GiB of memory correctly; however, we
would like to be able to test this and not rely solely on faith.
One limitation which the authors do not discuss is the impact of
restricting the test platform to a particular VM (i.e. Bochs). In
our experience VMs provide a much more highly predictable and
stable environment than real hardware and may not be a good
indication of how a memory acquisition tool will perform on real
hardware. In addition, as was mentioned previously on this list,
different VM manufacturers have chosen to emulate very different
PC designs. How a tool performs on VMWare may not be a good
indicator of how the same tool will perform on Microsoft Hyper-V
or VirtualBox or KVM.
Also, the authors do not acknowledge the possibility that memory
acquisition tools may perform differently on different versions of
the Microsoft operating system. Each new version of the Microsoft
operating system has brought changes to the Windows memory
manager, in some cases significant changes. Currently, we are
(out of necessity) using acquisition methods that differ in
varying degrees on Microsoft Windows XP, Windows 2003 SP1 and
later, Windows Vista, Windows 7 and Windows 8. For Windows 8.1
Preview we have found it necessary to invent new methods that are
different from all of the methods which we previously employed.
Finally, the authors do not articulate the theoretical framework
for forensic volatile memory acquisition which serves as the basis
for their notion of "correctness." Historically, computer
forensic experts have evaluated the acquisition of volatile memory
as an "imaging" process. Most computer forensic experts were
familiar with the imaging of "dead" hard drives. It was natural
to assume memory acquisition was doing much the same thing. The
problem is that a running computer system is by nature a
stochastic process (more precisely, it is a "continuous time
stochastic process") which cannot be "imaged." It can only be
sampled. Sampling is a common technique in forensic science,
other than in computer forensics. Computer forensics is somewhat
unique among forensic "sciences" in its almost exclusive reliance
upon "imaging" as a standard of reliability. It is difficult not
to note the severe tension which exists between this theoretic
framework and the reality of modern computer design. Not only is
"live" imaging of hard drives now commonplace for practical
reasons (which equally aren't true images) but also, as we now
know, a hard drive is an embedded computer system which may alter
the physical layout of data on the disks any time power is applied
to the drive.
The theoretical approach which we have advocated (see, e.g.
Garner, Maut Design Document (unpublished manuscript, 2011), is to
view volatile memory acquisition as a process of sampling the
state of a continuous-time stochastic process. We further propose
to use the structural elements created by the operating system and
the hardware as a metric to evaluate the reliability of the
sampling process. We believe that these structural elements may
be used for this purpose because they possess the Markhov
property. Their future state is predictable, depending entirely
on their present state and is conditionally independent of the
past. A sample is said to be reliable when it is "representative"
of the entire population. In other words, a sample is reliable
with respect to a specific issue of material fact if an inference
drawn upon the basis of the sample will arrive at the same
conclusion as if the inference were drawn upon the basis of the
entire population.
The authors appear to assume the tradition "imaging" framework for
volatile computer memory acquisition, however, this assumption
should be stated since the entire rest of the paper depends on it.
In conclusion, this paper makes an important contribution to a
topic that is important for the future of computer forensics.
However, the authors need to better articulate their assumptions.
Development of a professional memory forensic tool testing
platform will require the development of a test enviroment which
overcomes the current limitations.
Regards,
George M. Garner Jr.
President
GMG Systems, Inc.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org <mailto:Vol-users@volatilityfoundation.org>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
1:34 p.m.
New subject: Anti-forensic resilient memory acquisition [was: An evaluation platform for forensic memory acquisition software.]
Johannes,
I think you are referring to my anti-forensics paper
[1]. <
[...]
Ha! That was a good paper. Thank you for drawing it to my attention.
Nor do I think that the criticisms offered therein were in any sense
inappropriate. You have identified a number of obvious single points of
failure which affect many common memory forensic acquisition tools. The
vulnerabilities are too simple and too obvious not to be exploited in
the wild. Indeed, in our own experience and based on anecdotal reports
by our customers, the "bad guys" are using far more sophisticated
techniques to frustrate memory analysis. Nor is it an excuse if a
forensic tool vendor has known about these problems for years and failed
to do anything about it.
Also, the basic concept which you advance as a solution to the problem,
namely acquiring memory by formatting your own page table entry
(effectively bypassing the operating system) has merit and deserves
further exploration. That having been said, I think that there are a
couple of things that need to be viewed more critically.
1. The first is the notion of scanning the PCI bus through the
PCI_CONFIG_DATA and PCI_CONFIG_ADDRESS IO ports. On Microsoft Windows,
the PCI bus driver assumes that it has exclusive access to the PCI bus.
Trying to access the PCI config space without coordinating with the
PCI bus is going to going to have some very unpleasant consequences
sooner or later. See, especially, the comments of Doron Holon in the
thread "Querying PCI config space,"
http://www.osronline.com/showthread.cfm?link=243808. You have correctly
identified a significant limitation of most contemporary memory forensic
software. The device and BIOS reserved areas which most tools discard
may contain important artifacts of sophisticated (and some
not-so-sophisticated) malware. Nevertheless, here we have a Microsoft
software engineer stating in unequivocal terms that what you are
proposing to do is going to trash the system. Nor do I care that lscpi
does the same thing on Linux and get's away with it most of the time.
There are a lot of things that you can get away with most of the time
but which will some day fail suddenly in a career ending moment.
2. Equally problematic is the notion of allowing the user to "acquire
past the end of physical memory (yielding simply zero blocks)." Ahhh!
If only it were so simple. In many cases this will work. But I also
have encountered systems on which attempting to read beyond the end of
physical memory (i.e. to an invalid physical address and not just beyond
MmHighestPossiblePhysicalPage) reliably results in a machine check
exception (MCE). I even have a system with me at the moment which
generates a MCE exception when you try to read from certain BIOS
reserved physical addresses below MmHighestPossiblePhysicalPage. The
faulting addresses are marked as BIOS reserved addresses but do not
otherwise present any reason for the fault, except that this is the way
that this particular BIOS has programmed the memory controller and
processor.
3. The third and most important problem is your facile assumption that
the risk of processor TLB cache corruption can be dismissed simply
because you are only reading from your "rogue" page table entries and
not writing to them. As you correctly state: "Note that depending on
the caching type in the PTE that holds the original mapping to a
physical page, writing to the rogue mapping could cause cache
incoherence and is strongly discouraged." Section 11.12.4 Vol 3A of
the Intel Software Developer's Manual states:
"The PAT allows any memory type to be specified in the page tables, and
therefore it is possible to have a single physical page mapped to two or
more different linear addresses, each with different memory types. Intel
does not support this practice because it may lead to undefined
operations that can result in a system failure." Current versions of
Microsoft Windows store the cache attribute of current
virtual-to-physical address mappings as a parameter in the PFN database.
When you use the operating system to re-map a physical page the OS
uses this stored cache attribute when it creates the new mapping. The
operating system thus attempts to avoid the cache corruption issues to
against which the Intel manuals warn. When you bypass the OS and
effectively create your own "rogue" page table entry you assume the
responsibility of doing what the OS does to prevent processor cache
corruption. Your own formulations acknowledge as much. In your paper
you assert, without supporting reference, that "this is not a problem
for the purpose of memory acquisition, as we only need to read from this
mapping." Assuming arguendo that this is so you still haven't accounted
for the possibility that someone ELSE might corrupt the processor cache
by wrtting to a physical page using a virtual address with a mapping
that is incompatible to yours.
Section 11.12.4 Vol 3A of the Intel Software Developer's Manual also
provides the steps that an operating system must take before mapping a
physical page to an incompatible mapping:
<Quote/>
1. Remove the previous mapping to a cacheable memory type in the page
tables; that is, make them not present.
2. Flush the TLBs of processors that may have used the mapping, even
speculatively.
3. Create a new mapping to the same physical address with a new memory
type, for instance, WC.
4. Flush the caches on all processors that may have used the mapping
previously. Note on processors that support self-snooping, CPUID feature
flag bit 27, this step is unnecessary.
</Quote>
The question I have is, how is the operating system going to undertake
these steps for a subsequent concurrent mapping (assuming that yours is
the original mapping) when the operating system does not know that your
mapping exists?
The first two problems described above, resulting from scanning the PCI
bus and from reading beyond the end of physical memory do not occur on
every system; however, the problems result in immediate and dramatic
feedback (in the form of a system crash) in the cases where they do
occur. Problems with processor cache corruption, on the other hand, do
occur, at least potentially, on any system with an Intel compatible
processor. However, cache corruption typically doesn't usually provide
any obvious indication that it has occurred. Some random bit of memory
get's corrupted. An affected system can continue running, in some cases
for years, without any apparent indication of a problem. And then one
day someone orders a drone to abort and it fires instead because you
corrupted the memory of some mission critical server months earlier. So
I do not think that the problem of cache corruption can be dismissed as
easily as you seem to think.
Regards,
George M. Garner Jr.
President
GMG Systems, Inc.
1:56 p.m.
New subject: Anti-forensic resilient memory acquisition [was: An evaluation platform for forensic memory acquisition software.]
Hi George,
According to the wikipedia (the oracle of all knowledge :-):
http://en.wikipedia.org/wiki/Cache_coherence
<quote>
In a shared memory multiprocessor system with a separate cache memory
for each processor, it is possible to have many copies of any one
instruction operand: one copy in the main memory and one in each cache
memory. When one copy of an operand is changed, the other copies of
the operand must be changed also. Cache coherence is the discipline
that ensures that changes in the values of shared operands are
propagated throughout the system in a timely fashion.
</quote>
I read this clause as saying that cache coherence issues appear only
when one is concerned about how "changes are propagated throughout the
system in a timely fashion". When acquiring the memory image, we do
not change the rogue page at all hence there are no changes to be
propagated from the rogue page to other system. Also due to the fact
that the imaging is already smeared we dont care that changes from the
other mapped page are propagated into the imaged page are done in a
timely fashion (we might not see a change which took place a few
nanoseconds before we read).
I fail to understand how cache coherence is an issue in this case. Can
you please describe a potential race condition which can possibly
cause the type of corruption you describe?
Michael.
On 19 August 2013 19:34, George M. Garner Jr.
<ggarner_online(a)gmgsystemsinc.com> wrote:
Johannes,
I think you are referring to my anti-forensics
paper [1]. <
[...]
Ha! That was a good paper. Thank you for drawing it to my attention. Nor do
I think that the criticisms offered therein were in any sense inappropriate.
You have identified a number of obvious single points of failure which
affect many common memory forensic acquisition tools. The vulnerabilities
are too simple and too obvious not to be exploited in the wild. Indeed, in
our own experience and based on anecdotal reports by our customers, the "bad
guys" are using far more sophisticated techniques to frustrate memory
analysis. Nor is it an excuse if a forensic tool vendor has known about
these problems for years and failed to do anything about it.
Also, the basic concept which you advance as a solution to the problem,
namely acquiring memory by formatting your own page table entry (effectively
bypassing the operating system) has merit and deserves further exploration.
That having been said, I think that there are a couple of things that need
to be viewed more critically.
1. The first is the notion of scanning the PCI bus through the
PCI_CONFIG_DATA and PCI_CONFIG_ADDRESS IO ports. On Microsoft Windows, the
PCI bus driver assumes that it has exclusive access to the PCI bus. Trying
to access the PCI config space without coordinating with the PCI bus is
going to going to have some very unpleasant consequences sooner or later.
See, especially, the comments of Doron Holon in the thread "Querying PCI
config space," http://www.osronline.com/showthread.cfm?link=243808. You
have correctly identified a significant limitation of most contemporary
memory forensic software. The device and BIOS reserved areas which most
tools discard may contain important artifacts of sophisticated (and some
not-so-sophisticated) malware. Nevertheless, here we have a Microsoft
software engineer stating in unequivocal terms that what you are proposing
to do is going to trash the system. Nor do I care that lscpi does the same
thing on Linux and get's away with it most of the time. There are a lot of
things that you can get away with most of the time but which will some day
fail suddenly in a career ending moment.
2. Equally problematic is the notion of allowing the user to "acquire past
the end of physical memory (yielding simply zero blocks)." Ahhh! If only it
were so simple. In many cases this will work. But I also have encountered
systems on which attempting to read beyond the end of physical memory (i.e.
to an invalid physical address and not just beyond
MmHighestPossiblePhysicalPage) reliably results in a machine check exception
(MCE). I even have a system with me at the moment which generates a MCE
exception when you try to read from certain BIOS reserved physical addresses
below MmHighestPossiblePhysicalPage. The faulting addresses are marked as
BIOS reserved addresses but do not otherwise present any reason for the
fault, except that this is the way that this particular BIOS has programmed
the memory controller and processor.
3. The third and most important problem is your facile assumption that the
risk of processor TLB cache corruption can be dismissed simply because you
are only reading from your "rogue" page table entries and not writing to
them. As you correctly state: "Note that depending on the caching type in
the PTE that holds the original mapping to a physical page, writing to the
rogue mapping could cause cache incoherence and is strongly discouraged."
Section 11.12.4 Vol 3A of the Intel Software Developer's Manual states:
"The PAT allows any memory type to be specified in the page tables, and
therefore it is possible to have a single physical page mapped to two or
more different linear addresses, each with different memory types. Intel
does not support this practice because it may lead to undefined operations
that can result in a system failure." Current versions of Microsoft Windows
store the cache attribute of current virtual-to-physical address mappings as
a parameter in the PFN database. When you use the operating system to
re-map a physical page the OS uses this stored cache attribute when it
creates the new mapping. The operating system thus attempts to avoid the
cache corruption issues to against which the Intel manuals warn. When you
bypass the OS and effectively create your own "rogue" page table entry you
assume the responsibility of doing what the OS does to prevent processor
cache corruption. Your own formulations acknowledge as much. In your paper
you assert, without supporting reference, that "this is not a problem for
the purpose of memory acquisition, as we only need to read from this
mapping." Assuming arguendo that this is so you still haven't accounted for
the possibility that someone ELSE might corrupt the processor cache by
wrtting to a physical page using a virtual address with a mapping that is
incompatible to yours.
Section 11.12.4 Vol 3A of the Intel Software Developer's Manual also
provides the steps that an operating system must take before mapping a
physical page to an incompatible mapping:
<Quote/>
1. Remove the previous mapping to a cacheable memory type in the page
tables; that is, make them not present.
2. Flush the TLBs of processors that may have used the mapping, even
speculatively.
3. Create a new mapping to the same physical address with a new memory type,
for instance, WC.
4. Flush the caches on all processors that may have used the mapping
previously. Note on processors that support self-snooping, CPUID feature
flag bit 27, this step is unnecessary.
</Quote>
The question I have is, how is the operating system going to undertake these
steps for a subsequent concurrent mapping (assuming that yours is the
original mapping) when the operating system does not know that your mapping
exists?
The first two problems described above, resulting from scanning the PCI bus
and from reading beyond the end of physical memory do not occur on every
system; however, the problems result in immediate and dramatic feedback (in
the form of a system crash) in the cases where they do occur. Problems with
processor cache corruption, on the other hand, do occur, at least
potentially, on any system with an Intel compatible processor. However,
cache corruption typically doesn't usually provide any obvious indication
that it has occurred. Some random bit of memory get's corrupted. An
affected system can continue running, in some cases for years, without any
apparent indication of a problem. And then one day someone orders a drone
to abort and it fires instead because you corrupted the memory of some
mission critical server months earlier. So I do not think that the problem
of cache corruption can be dismissed as easily as you seem to think.
Regards,
George M. Garner Jr.
President
GMG Systems, Inc.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
3:58 p.m.
New subject: Anti-forensic resilient memory acquisition [was: An evaluation platform for forensic memory acquisition software.]
Michael,
On 8/19/2013 1:56 PM, Michael Cohen wrote:
Hi George,
According to the wikipedia (the oracle of all knowledge :-):
http://en.wikipedia.org/wiki/Cache_coherence
<quote>
In a shared memory multiprocessor system with a separate cache memory
for each processor, it is possible to have many copies of any one
instruction operand: one copy in the main memory and one in each cache
memory. When one copy of an operand is changed, the other copies of
the operand must be changed also. Cache coherence is the discipline
that ensures that changes in the values of shared operands are
propagated throughout the system in a timely fashion.
</quote>
Thanks for the link to the Wiki article and quote. The article on its
face refers to cache COHERENCE of shared memory on a multiprocessor
system where each processor maintains its own separate cache. The
specific passage quoted above concerns coherence of the instruction
cache; however, we will assume that the same applies equally to the data
cache. Nothing in this article discusses or even contemplates the
remapping of an individual memory page with incompatible memory caching
attributes or the possibility that memory CORRUPTION may occur as the
result. Memory coherence and memory corruption are two different
things. Indeed, if memory corruption does occur, cache coherence
ensures that the corruption will be propagated to every processor on the
system! Thus, the phenomenon to which you refer actually amplifies the
problem, rather than solves it.
The remapping of physical memory pages with incompatible memory caching
attributes and the possibility that memory corruption may result is
specifically addressed by Section 11.12.4 Vol 3A of the Intel Software
Developer's Manual. This section provides a specific set of steps which
must be followed to safely remap physical memory with incompatible cache
attributes. I don't see anything in this section which restricts its
application to the case where someone will be writing to both
incompatibly mapped virtual addresses. In any event, using my DD
utility on Windows 2000 (before MS started ensuring caching
compatibility of pages mapped using \Device\PhysicalMemory) I saw plenty
of examples of strange behavior of systems after acquiring physical
memory which suggested that memory corruption had occurred. I don't
particularly care to return to that era!
In any event, the wiki passage which you cite does not really respond to
the issue.
Regards,
George.
7:09 p.m.
New subject: Anti-forensic resilient memory acquisition [was: An evaluation platform for forensic memory acquisition software.]
Hi George,
Reading the referenced Intel manual we see:
<quote>
The PAT allows any memory type to be specified in the page tables, and
therefore it is possible to have a single
physical page mapped to two or more different linear addresses, each
with different memory types. Intel does not
support this practice because it may lead to undefined operations that
can result in a system failure.
</quote>
So indeed you are correct is saying that mapping pages with
incompatible attributes is not recommended. We read further to
understand why:
<quote>
In particular,
a WC page must never be aliased to a cacheable page because WC writes
may not check the processor caches.
</quote>
So this seems to again suggest this is only a problem when writing to the page.
Corruption occurs only when memory is modified - i.e. written to. If
we only ever read the memory there is no possibility that our reading
of memory can cause any memory to change? Note that the PTE remapping
technique is precisely the same as firewire acquisition technique - in
that case the DMA controller creates a mapping into the physical
address space (usually with no caching attributes) to read the memory
that is mapped at whatever caching attribute it happens to be at. It
will almost certainly conflict with the cache attribute the OS is
using.
It is true that the OS will normally not let you create conflicting
mapping. For example,
http://msdn.microsoft.com/en-us/library/windows/hardware/ff566481%28v=vs.85…
<quote>
ZwMapViewOfSection routine can fail with:
STATUS_CONFLICTING_ADDRESSES
The specified address range conflicts with an address range already
reserved, or the specified cache attribute type conflicts with the
address range's existing cache attribute. For example, if the memory
being mapped lies within a large page that is already mapped as fully
cached, then it is illegal to request to map this memory as noncached
or write combined.
</quote>
This occurs because the OS is trying to ensure that cache coherency is
maintained both for old users of the page and the new users of the
page. This is an example where calling the APIs will actually fail to
create a mapping at all - so rather than being able to take an image
with an incoherent cache (maybe slightly out of sync), now we can not
read this page at all. I suppose an imaging tool can retry the mapping
with all different cache attributes until it works?
By using the MMU translation directly we bypass these restrictions
placed by the OS - providing we understand the ramifications, we
should be ok.
Im not sure I can do much with the anecdotal evidence you present of
windows 2000? How do you know that cache attribute mismatch caused the
instability? If your tool called the OS APIs its likely that the OS
APIs themselves caused buggy behaviour (when calling the OS APIs you
have no idea what code is actually running right?).
Please dont get me wrong, I am not saying that our technique is
foolproof and super stable. I have no evidence of that, since this is
a research project and did not have the wide field testing we need to
give it (on all kinds of hardware). I am just saying that your logical
argument seems to be built on anecdotal evidence and does not really
sit well with my understanding of how CPU caching works. It may be
that you are right in practice but we have not experienced instability
in our testing so far. It is a complex field and requires more
research. I am just pointing out that your argument with conflicting
cache attributes does not seem to apply to the case of read only
imaging of physical memory.
Michael.
On 19 August 2013 21:58, George M. Garner Jr.
<ggarner_online(a)gmgsystemsinc.com> wrote:
Michael,
On 8/19/2013 1:56 PM, Michael Cohen wrote:
Hi George,
According to the wikipedia (the oracle of all knowledge :-):
http://en.wikipedia.org/wiki/Cache_coherence
<quote>
In a shared memory multiprocessor system with a separate cache memory
for each processor, it is possible to have many copies of any one
instruction operand: one copy in the main memory and one in each cache
memory. When one copy of an operand is changed, the other copies of
the operand must be changed also. Cache coherence is the discipline
that ensures that changes in the values of shared operands are
propagated throughout the system in a timely fashion.
</quote>
Thanks for the link to the Wiki article and quote. The article on its face
refers to cache COHERENCE of shared memory on a multiprocessor system where
each processor maintains its own separate cache. The specific passage
quoted above concerns coherence of the instruction cache; however, we will
assume that the same applies equally to the data cache. Nothing in this
article discusses or even contemplates the remapping of an individual memory
page with incompatible memory caching attributes or the possibility that
memory CORRUPTION may occur as the result. Memory coherence and memory
corruption are two different things. Indeed, if memory corruption does
occur, cache coherence ensures that the corruption will be propagated to
every processor on the system! Thus, the phenomenon to which you refer
actually amplifies the problem, rather than solves it.
The remapping of physical memory pages with incompatible memory caching
attributes and the possibility that memory corruption may result is
specifically addressed by Section 11.12.4 Vol 3A of the Intel Software
Developer's Manual. This section provides a specific set of steps which
must be followed to safely remap physical memory with incompatible cache
attributes. I don't see anything in this section which restricts its
application to the case where someone will be writing to both incompatibly
mapped virtual addresses. In any event, using my DD utility on Windows 2000
(before MS started ensuring caching compatibility of pages mapped using
\Device\PhysicalMemory) I saw plenty of examples of strange behavior of
systems after acquiring physical memory which suggested that memory
corruption had occurred. I don't particularly care to return to that era!
In any event, the wiki passage which you cite does not really respond to the
issue.
Regards,
George.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
12:54 p.m.
New subject: Anti-forensic resilient memory acquisition
Michael,
I see that you were able to find the relevant passage in the Intel
Developers Manual (Vol. 3A, section 11.12.4). The passages which you
quote do indeed state that the simultaneous mapping of a physical memory
page with both cached and writecombined (WC) memory caching attributes
is of "particular concern." The passage also provides one scenario of
how data corruption may result from WC writes to physical pages that are
also cached. What the passage does not say is that this is the ONLY
circumstance under which memory corruption may occur. Indeed, it
clearly states that mapping physical pages with incompatible cache
attributes is a problem in general which "may lead to undefined
operations that can result in a system failure." This interpretation is
supported also by the recommended procedure which an operating system is
to follow when remapping a physical page with incompatible cache
attributes. The OS is supposed to render the original mapping not
present and flush the TLB of any processor which "may have USED the
mapping, even speculatively." (Emphasis added.) Reading from a
physical memory page, moreover, modifies the internal state of the
processor, including the TLB and, potentially, the L2 and L3 caches.
The DMA controller, as the name implies, directly accesses physical
memory independent of the CPU. DMA does not use virtual addresses or
page tables or CPU caches. I fail to see the relevance of firewire
memory acquisition to this discussion. The DMA controller does
guarantee that the processor and various system buses have a coherent
view of physical memory. However, memory coherence, as was previously
state, does not prevent memory corruption. If memory corruption does
occur the DMA controller will guarantee that the results are propagated
to all of the system buses.
The passage which you quote from MSDN concerning
STATUS_CONFLICTING_ADDRESSES is true of some versions of Microsoft
Windows and not of others. The memory manager has changed significantly
over succeeding versions of Windows; and the changes are not always
reflected in the product documentation. Windows 8.1 will require some
significant changes in how memory is acquired, at least if the preview
is any indication.
My purpose in commenting on this aspect of your paper was not to suggest
that the basic concept of rolling your own page table entry was without
merit. Indeed, I stated that it was a very interesting idea that
deserved further research. But it is also an idea with some fundamental
problems given the current design of commercial x86/x64 processors.
These problems are never going to be solved if you simply deny that they
exist.
People think that winpmem is a part of Volatility and that it therefore
must be good. In fact, when I go to the link which you published
(http://goo.gl/9VnnkY) "Volatility" is precisely what I see. There are
many people on the list who lack the technical background to properly
evaluate your code or understand its risks. I think we know that many
people are going to take this code and run it on their production
systems. I have to say that this code involves substantial risk, and
that you must accept some responsibility for the potential consequences
given that we know the public perceptions. The Order of Volatility also
must accept some responsibility since it allows this code to be
published under its banner without adequate warning of its experimental
nature.
Regards,
George.
3:37 p.m.
New subject: Anti-forensic resilient memory acquisition
Hi George,
On 20 August 2013 18:54, George M. Garner Jr.
<ggarner_online(a)gmgsystemsinc.com> wrote:
I see that you were able to find the relevant passage
in the Intel
Developers Manual (Vol. 3A, section 11.12.4). The passages which you quote
do indeed state that the simultaneous mapping of a physical memory page with
both cached and writecombined (WC) memory caching attributes is of
"particular concern." The passage also provides one scenario of how data
corruption may result from WC writes to physical pages that are also cached.
What the passage does not say is that this is the ONLY circumstance under
which memory corruption may occur. Indeed, it clearly states that mapping
physical pages with incompatible cache attributes is a problem in general
which "may lead to undefined operations that can result in a system
failure." This interpretation is supported also by the recommended
procedure which an operating system is to follow when remapping a physical
page with incompatible cache attributes. The OS is supposed to render the
original mapping not present and flush the TLB of any processor which "may
have USED the mapping, even speculatively." (Emphasis added.) Reading from
a physical memory page, moreover, modifies the internal state of the
processor, including the TLB and, potentially, the L2 and L3 caches.
Indeed, if you read our paper carefully you may discover that we do
flush the TLB before every page mapping.
The DMA controller, as the name implies, directly
accesses physical memory
independent of the CPU. DMA does not use virtual addresses or page tables
or CPU caches. I fail to see the relevance of firewire memory acquisition
to this discussion. The DMA controller does guarantee that the processor
I was only illustrating that the DMA controller is able to view
physical memory without any L1 or L2 caches and hence by definition is
seeing the physical memory with a different caching attribute to the
CPU, which must go through caches, TLB and the MMU.
and various system buses have a coherent view of
physical memory. However,
memory coherence, as was previously state, does not prevent memory
corruption. If memory corruption does occur the DMA controller will
guarantee that the results are propagated to all of the system buses.
Im curious what you mean by corruption - you seem to be using this
term a lot. Do you mean that unexpected data is written to memory
locations? or do you mean that ram suddenly flips with no actual
writing operation? I think this is the point that I am most struggling
to understand, how can there be corruption if there is no write
operation?
The passage which you quote from MSDN concerning
STATUS_CONFLICTING_ADDRESSES is true of some versions of Microsoft Windows
and not of others. The memory manager has changed significantly over
succeeding versions of Windows; and the changes are not always reflected in
the product documentation. Windows 8.1 will require some significant
changes in how memory is acquired, at least if the preview is any
indication.
Having no intimate access to the windows source code i can only go
from the MSDN :-). I take your point about changes in the OS APIs over
time, some of which are not well documented. This is the advantage, I
think, of sticking to the low level hardware oriented approach
described in the paper. Our technique is essentially OS agnostic,
being implemented on OSX Linux and windows without problem. The only
variation we need to account for is architecture (e.g. 32bit vs. 64
bit).
People think that winpmem is a part of Volatility and
that it therefore must
be good. In fact, when I go to the link which you published
(http://goo.gl/9VnnkY) "Volatility" is precisely what I see. There are
many people on the list who lack the technical background to properly
evaluate your code or understand its risks. I think we know that many
Indeed winpmem is an open source memory imager. Please note that the
technique we have been discussing in this thread is highly
experimental (and indeed that is why it was publishable in the first
place :-). Although the technique is implemented in the upcoming
release of winpmem it is not the default technique which is chosen by
the tool. The default technique is the traditional mapping section
object of the \\devices\physicalmemory device (which is implemented by
most imaging tools out there). However as the paper points out this
technique is highly vulnerable to anti-forensic techniques.
people are going to take this code and run it on their
production systems.
Indeed they have and do, with much reported success. Winpmem can and
is used regularly to enable Volatility to operate on the live system
image, which is great for quickly triaging a system, or for analyzing
the system remotely when copying the image is prohibitive. The fact
the winpmem is open source helps it to be integrated in larger,
enterprise grade incident response tools such as GRR
(http://code.google.com/p/grr/)
I have to say that this code involves substantial
risk, and that you must
Running any code involves some element of risk. As our paper points
out, if the rootkit makes some small modifications, it is trivial to
blue box the machine when the imaging tool attempts to image it.
accept some responsibility for the potential
consequences given that we know
the public perceptions. The Order of Volatility also must accept some
responsibility since it allows this code to be published under its banner
without adequate warning of its experimental nature.
This is code contributed to the Volatility project since it is useful
to extend volatility to new use cases, and makes Volatility a complete
solution (imaging + analysis). The tool is out there for anyone to use
and test and contribute patches, unlike some commercial tools which
prefer not to be openly and impartially tested for fear of them being
leaked to the bad guys ;-).
Thanks,
Michael.
2:14 p.m.
Hi everyone,
First of all, we would like to thank George for his extensive and
constructive feedback on our work. We believe that similar discussions
will significantly drive tool development in this area of memory
forensics forward in the future, too.
The authors adopt an approach which they call
"white-box testing"
whereby the authors modify the source code for various open source tools
(win32dd, mdd, winpmem) to insert hypercalls at various locations in the
acquisition process. The hypercalls inform the test platform of various
important system events and operations and inspect the state of the
subject system at the moment of the hypercall. The state as recorded by
the hypercalls is then used as a metric to evaluate the reliability
(i.e. "correctness") of the tool which is under test.
In our model, the reliability of a (software-based) acquisition method
is determined by its level of correctness, atomicity, and integrity,
i.e., the correctness of a tool - while being highly important - is just
one factor out of several.
The approach has a number of significant limitations
which the authors
acknowledge, the most significant of which is that they require the
source code which must be modified in order to perform the test. Most
commercial tool vendors do not provide the source code to their memory
acquisition tools.
When we started the development of our platform, we initially attempted
measuring the different influencing factors for closed source products
as well. With respect to this, we started implementing various
approaches that unfortunately did not prove successful in the end, some
of those are described in the paper. The main problem we faced was that
- in order to accurately determine the point of time when, for instance,
a page is about to be duplicated - a deeper understanding of the
respective program functionality is required. Without knowledge of the
source code, we would have had to reverse engineer and patch significant
parts of the application, a process we wanted to avoid.
Even one of the open source tools tested by Vömel
and Stüttgen, win32dd, is an old version of the current closed-source
Moonsols tool which contains many bug fixes which are not in the open
source precursor. As far as I am aware the MDD tool is no longer
supported or under active development. Michael Cohen's winpmem is the
only currently supported tool that the authors were able to test.
This is correct. While two of the tested programs are indeed outdated
(win32dd is now part of the Moonsols suite, and the respective bug is
well documented and has long been addressed by Matthieu), the main focus
of our paper was set on describing the architecture and functionality of
the platform, rather than evaluating single products.
Another significant limitation is that the test platform is tied to a
highly customized version of the Bochs x86 PC emulator. The test
platform is restricted to 32-bit versions of Windows with not more than
2 GiB of memory. The acquisition of physical memory from systems
equipped with more than 4 GiB of memory and from 64-bit versions of
Microsoft Windows are areas where memory acquisition tool vendors have
stumbled in the past. Possibly all contemporary memory acquisition
tools handle 64-bit systems and systems with more than 4 GiB of memory
correctly; however, we would like to be able to test this and not rely
solely on faith.
Yes, from our point of view, this is maybe the most significant
limitation. Unfortunately, we only discovered the 2 GB limit shortly
before development of the 32-bit platform had been finished, which is
also why we didn't include support for 64-bit systems later. In
retrospect, choosing Bochs as the underlying platform was not a good
decision (as we discuss in more detail in the paper), and future
developments should be based on different software products.
One limitation which the authors do not discuss is the impact of
restricting the test platform to a particular VM (i.e. Bochs). In our
experience VMs provide a much more highly predictable and stable
environment than real hardware and may not be a good indication of how a
memory acquisition tool will perform on real hardware. In addition, as
was mentioned previously on this list, different VM manufacturers have
chosen to emulate very different PC designs. How a tool performs on
VMWare may not be a good indicator of how the same tool will perform on
Microsoft Hyper-V or VirtualBox or KVM.
This is correct but we do not see suitable software alternatives for
this problem, as memory accesses need to be emulated in order to trace them.
Also, the authors do not acknowledge the possibility
that memory
acquisition tools may perform differently on different versions of the
Microsoft operating system. Each new version of the Microsoft operating
system has brought changes to the Windows memory manager, in some cases
significant changes.
This is correct, however our platform does not depend on a specific
Windows operating system. In our tests, we have only covered Windows XP
SP 3 systems for performance reasons, a different operating system
version could be installed as a guest system as well though.
Finally, the authors do not articulate the theoretical framework for
forensic volatile memory acquisition which serves as the basis for their
notion of "correctness." Historically, computer forensic experts have
evaluated the acquisition of volatile memory as an "imaging" process.
Most computer forensic experts were familiar with the imaging of "dead"
hard drives. It was natural to assume memory acquisition was doing much
the same thing. The problem is that a running computer system is by
nature a stochastic process (more precisely, it is a "continuous time
stochastic process") which cannot be "imaged." It can only be sampled.
The theoretical framework of our work has been described in a previous
journal article ("Correctness, atomicity, and integrity: Defining
criteria for forensically-sound memory acquisition",
http://www.sciencedirect.com/science/article/pii/S1742287612000254) and
is also referenced in our paper.
The theoretical approach which we have advocated (see,
e.g. Garner, Maut
Design Document (unpublished manuscript, 2011), is to view volatile
memory acquisition as a process of sampling the state of a
continuous-time stochastic process. We further propose to use the
structural elements created by the operating system and the hardware as
a metric to evaluate the reliability of the sampling process. We
believe that these structural elements may be used for this purpose
because they possess the Markhov property. Their future state is
predictable, depending entirely on their present state and is
conditionally independent of the past. A sample is said to be reliable
when it is "representative" of the entire population. In other words, a
sample is reliable with respect to a specific issue of material fact if
an inference drawn upon the basis of the sample will arrive at the same
conclusion as if the inference were drawn upon the basis of the entire
population.
In our opinion, the area of memory acquisition tool testing has only
received little attention so far and should be better covered in the
literature. The idea you are describing sounds very interesting. Would
you be willing to share your manuscript with the community?
In conclusion, this paper makes an important
contribution to a topic
that is important for the future of computer forensics. However, the
authors need to better articulate their assumptions. Development of a
professional memory forensic tool testing platform will require the
development of a test enviroment which overcomes the current limitations.
This is correct. Part of the reason why we wrote this paper was also to
share experiences and ideas for testing approaches. We would appreciate
further discussions and suggestions for improvement very much.
Best regards,
Stefan and Johannes
4104
days inactive
4112
days old
vol-users@lists.volatilityfoundation.org
9 comments
5 participants
participants (5)
-
George M. Garner Jr. -
Johannes Stuettgen -
Matthieu Suiche -
Michael Cohen -
Stefan Vömel