I came across this interesting 2007 paper on Live Memory Acquisition for Windows Operating Systems by Naja Davis that shows some of the tools and techniques used by forensics analysts1 to get at the physical memory and analyze memory contents to get list of processes, threads, files, passwords and other data in memory.
Memory acquisition is a necessary evil. It is a necessity for security2 and law enforcement. It is evil because it threatens to undermine one of the most basic and fundamental rights to privacy in a personal computing setup. Attacks based on physical memory modifications or offline memory analysis are not as much heard of as they should.
Acquiring memory on a live device is a technological challenge in and of itself. It is not easy to capture memory of a live device without interfering with everything else that is going on in a live system. It is a classic Observer’s Paradox. Hardware solutions3 are more cumbersome to setup and software solutions4 5 leave footprint.
While there are tools to do decent acquisition, the technology that would (hopefully) come forth to secure physical memory better would be something interesting to watch. Perhaps we need to rethink, fundamentally, how hardware and software use memory on devices.
The rethinking would have to center around the twin memory attack vectors of acquisition and modification. Memory reads should perhaps not be as trusted and should be validated. Memory writes would perhaps need to be encrypted so that even if memory contents are stolen, no damage is done. Memory paging may need to make it difficult to map page file contents to memory locations.
These are fundamental changes and if it were to become reality – factors driving such technology would perhaps have to be stronger than consumer privacy or even system security.
1Mariusz Burdach‘s 2006 BlackHat presentation on Physical Forensics also presents basic information about tools and challenges in memory acquisition in Windows and Linux along with anti-forensics methodologies. On one of the pages in that presentation Burdach presents data showing that 86% of memory does not change over time. Pretty scary if you think about privacy and security.
2For example to track down in-memory rootkits and other kinds of malware that do not leave any disk trace. Network-based intrusions or remote exploits may be only visible in memory.
3Tribble PCI Card – A hardware-based memory acquisition procedure for digital investigations by Brian D. Carrier and Joe Grand.
4Second Look from Pikewerks for volatile memory acquisition and analysis of linux-based systems.
5KnTTools from GMG Systems, Inc.
I disagree with your characterization of memory acquisition as a necessary evil. It is the reason for which the action is being performed that determines whether it is for good or for evil. While one person may acquire a computer system’s memory to steal secrets or make malicious modifications, another person might do so to verify that the system has not been compromised or to preserve evidence of a crime.
I also would point out that not all methods of software memory acquisition leave a footprint. For example, the Second Look memory forensics tool that you cite (of which I am a developer) supports a number of different acquisition methods. If you run our memory-dumping program on the target system, yes it has a footprint. But if the target is a VM and you acquire memory from the host environment, no footprint. If the target system has firewire and you acquire memory that way, no footprint. If you hibernate the system and analyze the memory saved to disk, that also could be considered to have no footprint. Furthermore, simply because an acquisition technique has a footprint in memory does not mean it is invalid. So long as the footprint is recognized and understood, the acquired memory may still be useful for many purposes.
Those disagreements aside, thank you for writing about this important topic.