Annual Computer Security Applications Conference (ACSAC) 2012

Full Program »

When Hardware Meets Software: a Bulletproof Solution to Forensic Memory Acquisition

Presentation
View File
pdf
782KB
Paper
View File
pdf
266KB

Alessandro Reina
Universita` degli Studi di Milano - Dipartimento di Informatica
Italy

Aristide Fattori
Universita` degli Studi di Milano - Dipartimento di Informatica
Italy

Fabio Pagani
Universita` degli Studi di Milano - Dipartimento di Informatica
Italy

Lorenzo Cavallaro
Royal Holloway, University of London
United Kingdom

Danilo Mauro Bruschi
Universita` degli Studi di Milano - Dipartimento di Informatica
Italy

Abstract:
The acquisition of volatile memory of running systems has become a
prominent and essential procedure in digital forensic analysis and
incident responses. In fact, unencrypted passwords, cryptographic
material, text fragments and last-generation malware may easily be
protected as encrypted blobs on persistent storage, while living
seamlessly in the volatile memory of a running system. Likewise,
systems' run-time information, such as open network connections, open
files and running processes, are by definition live entities that can
only be observed by examining the volatile memory of a running system.
In this context, tampering of volatile data while an acquisition is in
progress or during transfer to an external trusted entity is an
ongoing issue as it may irremediably invalidate the collected
evidence.

To overcome such issues, we present SMMDumper, a novel technique to
perform atomic acquisitions of volatile memory of running
systems. SMMDumper is implemented as an x86 firmware which
leverages the System Management Mode of Intel CPUs to create a
complete and reliable snapshot of the state of the
system that, with a minimal hardware support, is resilient to malware
attacks. To the best of our knowledge, SMMDumper is the first
technique that is able to atomically acquire the whole volatile
memory, even when the amount of RAM installed on the system is greater
than 4GB, provide integrity guarantees by digitally signing the RAM
content in SMM and runs on commodity systems.

Experimental results show that the time SMMDumper requires to
acquire and transfer 6GB of physical memory of a running system is
reasonable to allow for a real-world adoption in digital forensic
analyses and incident responses.

 

Powered by OpenConf®
Copyright ©2002-2012 Zakon Group LLC