As if Time Had Stopped – Checking Memory Dumps for Quasi-Instantaneous Consistency
Détails
Etat: Public
Version: Final published version
Licence: Non spécifiée
ID Serval
serval:BIB_B1BA5EBA6551
Type
Actes de conférence (partie): contribution originale à la littérature scientifique, publiée à l'occasion de conférences scientifiques, dans un ouvrage de compte-rendu (proceedings), ou dans l'édition spéciale d'un journal reconnu (conference proceedings).
Collection
Publications
Institution
Titre
As if Time Had Stopped – Checking Memory Dumps for Quasi-Instantaneous Consistency
Titre de la conférence
Proceedings of the Digital Forensics Research Conference USA (DFRWS USA)
Statut éditorial
Publié
Date de publication
14/07/2023
Peer-reviewed
Oui
Langue
anglais
Résumé
Memory dumps that are acquired while the system is running often contain inconsistencies like page smearing which hamper the analysis. One possibility to avoid inconsistencies is to pause the system during the acquisition and take an instantaneous memory dump. While this is possible for virtual machines, most systems cannot be frozen and thus the ideal dump can only be quasi-instantaneous, i.e., consistent despite the system running. In this article, we introduce a method allowing us to measure quasi-instantaneous consistency and show both, theoretically, and practically, that our method is valid but that in reality, dumps can be but usually are not quasi-instantaneously consistent. For the assessment, we run a pivot program enabling the evaluation of quasi-instantaneous consistency for its heap and allowing us to pinpoint where exactly inconsistencies occurred.
Mots-clé
Memory acquisition, Consistency, Quasi-instantaneous consistency, Instantaneous snapshot, Experiment, Live system memory capture
Site de l'éditeur
Création de la notice
14/01/2024 15:13
Dernière modification de la notice
15/01/2024 8:26
Données d'usage
