Forensic Analysis of Physical Memory and Page File

Abstract

With the passage of time, the field of computer forensics is maturing and the traditional methodology of disk forensics has now become a standard. In the same manner volatile data forensics is also getting serious attention from forensic investigators and researchers. Physical memory is an integral part of volatile data forensics. It can provide a forensic examiner with wealth of information like passwords, encrypted keys, typed commands, web addresses, shared and executable files, currently running processes and terminated processes, open ports and active connections. This thesis explores the forensic analysis of physical memory and page file in search of sensitive data using freely available tools. Experiments are carried out in virtual environment on XP and Vista operating systems. The immediate purpose of this thesis is to study the impact of increased memory size on the retention of sensitive data in today’s computers. We will also explore the capabilities and limitations of the currently available memory and page file analysis tools.

Topic covered by the project

The technology is developing rapidly in the field of computer industry. The data processing ability has increased, capacity to store data in digital format has expanded dramatically and the access to information has been made easy and most of all these facilities are becoming cheaper for the common people. This trend has also raised a concern in security professionals to keep sensitive and private data like passwords and credit card numbers secure as long as it is being processed in physical memory and to discard it securely when no longer needed to keep it away from adversaries and criminals. In this research work we will do the forensics of physical memory and page file in search of sensitive data. Data retention in physical memory is influenced by operating system (system software), applications processing the data and the underlying hardware of the computer. Experiments will be conducted in virtual environment using VMware incorporating both physical memory and page file. Different scenarios will be established in windows operating system environment that will closely resemble real world situations. The whole analysis will be conducted using the freely available tools on internet.

Problem Description

When a digital crime occurs, the main focus of the forensic examiners is to acquire and analyze non volatile data from the suspect machines. But this approach is no longer applicable due to the following reasons. 1. In today’s end user computers the hard disk data storing capacities has increased dramatically. 500 GB is a normal capacity in today’s computers. The same is the case with physical memory in today’s computers. 2 to 4 GB of physical memory is a normal standard in current end user computers. And when this amount of data in physical memory is incorporated with the swapped data in page file on hard disk, the prospects of finding the required results are even higher. Therefore it is not a wise idea to ignore physical memory of such huge capacities in digital crime investigations. 2. All transient data and volatile information such as network connections, chat logs, command histories, process information and open files that reside in physical memory will be lost if the “pull the plug” approach is followed. 3. Some times evidence can be resident only in memory. For example there are many malware programs that rum directly from physical memory without being installed on the hard disk thus leaving no trace on the hard disk. 4. In case of traditional disk forensics if the acquired evidence is encrypted then physical memory is the next immediate place where we can find keys for the encrypted data. The importance of physical memory forensics is obvious from these points but it is still in the stage of infancy and requires more serious attention. The currently available tools and methods for the analysis of memory evidence are limited and require a lot of attention compared to the importance of sensitive data in memory. The available free tools on the internet from different authors are limited in functionality and scope especially when physical memory is incorporated with page file in search of finding the evidence. The currently available tools should be practically tested by practical examples. This will show us not only their efficiency and ability but also their trust worthiness in a court of law.

Research Questions

Physical memory forensics is an evolving field of research. Since the operating systems from Microsoft are closed source therefore it requires even more attention from the researchers and forensics practitioners. This master thesis will try to answer the following questions. What is the current state of physical memory forensics?What are the currently available physical memory forensics tools?Have the currently available tools the ability and scope to analyze the physical memory and page file in currently available end user computers? Can we extract sensitive data from physical memory and page file of machines running windows XP and Vista?

Planned Contributions

This thesis work will contribute to the knowledge and understanding of physical memory and page file forensics both theoretically and practically by experiments. A state of the art in the field of physical memory and swap space analysis on windows systems will be provided. This will help both forensic professionals and researchers to get more understanding of this emerging area. A Summary of the currently available tools for the analysis of physical memory and page file will be provided with their features. To see the strength of the available tools, experiments will be conducted on selected tools on different scenarios in virtual environments. This will not only give an idea to the researchers working on windows systems but also forensic practitioners will benefit from this. Finally and importantly from this research work we will get an idea of how long physical memory and page file can maintain sensitive data and the influence of operating system and applications on data retention in different states of computer.