Title :
Firmware-assisted Memory Acquisition and Analysis tools for Digital Forensics
Author :
Wang, Jiang ; Zhang, Fengwei ; Sun, Kun ; Stavrou, Angelos
Author_Institution :
Center for Secure Inf. Syst., George Mason Univ., Fairfax, VA, USA
Abstract :
Being able to inspect and analyze the operational state of commodity machines is crucial for modern digital forensics. Indeed, volatile system state including memory data and CPU registers contain information that cannot be directly inferred or reconstructed by acquiring the contents of the nonvolatile storage. Unfortunately, it still remains an open problem how to reliably and consistently retrieve the volatile machine state without disrupting its operation. In this paper, we propose to leverage commercial PCI network cards and the current x86 implementation of System Management Mode to reliably replicate the physical memory and critical CPU registers from commodity hardware. Furthermore, we demonstrate how remote state replication can be used for semantic reconstruction, where the analysis of memory structures enables us to interactively perform forensic analysis of the machine´s memory content.
Keywords :
computer forensics; firmware; instruction sets; peripheral interfaces; CPU registers; PCI network cards; analysis tools; commodity machine operational state; digital forensics; firmware-assisted memory acquisition; machine memory content; memory data; memory structure analysis; remote state replication; semantic reconstruction; system management mode; volatile system state; x86 implementation; Digital forensics; Hardware; Registers; Reliability; Security; Servers; Live Forensics; Memory Acquisition; PCI.; SMM-mode;
Conference_Titel :
Systematic Approaches to Digital Forensic Engineering (SADFE), 2011 IEEE Sixth International Workshop on
Conference_Location :
Oakland, CA
Print_ISBN :
978-1-4673-1242-4
DOI :
10.1109/SADFE.2011.7
