I came across this interesting 2007 paper on Live Memory Acquisition for Windows Operating Systems by Naja Davis that shows some of the tools and techniques used by forensics analysts1 to get at the physical memory and analyze memory contents to get list of processes, threads, files, passwords and other data in memory.
Memory acquisition is a necessary evil. It is a necessity for security2 and law enforcement. It is evil because it threatens to undermine one of the most basic and fundamental rights to privacy in a personal computing setup. Attacks based on physical memory modifications or offline memory analysis are not as much heard of as they should.
Acquiring memory on a live device is a technological challenge in and of itself. It is not easy to capture memory of a live device without interfering with everything else that is going on in a live system. It is a classic Observer’s Paradox. Hardware solutions3 are more cumbersome to setup and software solutions4 5 leave footprint.
While there are tools to do decent acquisition, the technology that would (hopefully) come forth to secure physical memory better would be something interesting to watch. Perhaps we need to rethink, fundamentally, how hardware and software use memory on devices.
The rethinking would have to center around the twin memory attack vectors of acquisition and modification. Memory reads should perhaps not be as trusted and should be validated. Memory writes would perhaps need to be encrypted so that even if memory contents are stolen, no damage is done. Memory paging may need to make it difficult to map page file contents to memory locations.
These are fundamental changes and if it were to become reality – factors driving such technology would perhaps have to be stronger than consumer privacy or even system security.
1Mariusz Burdach‘s 2006 BlackHat presentation on Physical Forensics also presents basic information about tools and challenges in memory acquisition in Windows and Linux along with anti-forensics methodologies. On one of the pages in that presentation Burdach presents data showing that 86% of memory does not change over time. Pretty scary if you think about privacy and security.
2For example to track down in-memory rootkits and other kinds of malware that do not leave any disk trace. Network-based intrusions or remote exploits may be only visible in memory.
3Tribble PCI Card – A hardware-based memory acquisition procedure for digital investigations by Brian D. Carrier and Joe Grand.
4Second Look from Pikewerks for volatile memory acquisition and analysis of linux-based systems.
5KnTTools from GMG Systems, Inc.