Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.
Date of Award
Master of Science (MS)
Department of Computer Science
Traditional digital forensics’ procedures to recover and analyze digital data were focused on media-type storage devices like hard drives, hoping to acquire evidence or traces of malicious behavior in stored files. Usually, investigators would image the data and explore it in a somewhat “safe” environment; this is meant to reduce as much as possible the amount of loss and corruption that might occur when analysis tools are used. Unfortunately, techniques developed by intruders to attack machines without leaving files on the disks and the ever dramatically increasing size of hard drives make the discovery of evidence difficult. These increased interest in research on live forensics (attempting to obtain evidence while the system is running) and on volatile memory forensic analysis. Because of the important role they play in computing systems, volatile memory is a source of information about running processes, network connections, opened files and/or loaded kernel modules that might be valuable to forensic investigations. In this thesis we show that when provided with an image of the physical memory of a Linux system, it is possible to extract data about a specific running process, enough to be able to resume its execution on a prepared environment. We also describe two proof-of-concept tools gettsk and memexec developed for this purpose. This would allow investigators to not only obtain information about a suspicious running task from a RAM dump, but also to perform further inquiry through techniques such as malware analysis.
Mougoue, Ernest D., "Forensic analysis of linux physical memory: Extraction and resumption of running processes." (2012). Masters Theses. 275.