As if Time Had Stopped – Checking Memory Dumps for Quasi-Instantaneous Consistency

Details

Ressource 1Download: ottmann-asiftime.pdf (422.17 [Ko])
State: Public
Version: Final published version
License: Not specified
Serval ID
serval:BIB_B1BA5EBA6551
Type
Inproceedings: an article in a conference proceedings.
Collection
Publications
Institution
Title
As if Time Had Stopped – Checking Memory Dumps for Quasi-Instantaneous Consistency
Title of the conference
Proceedings of the Digital Forensics Research Conference USA (DFRWS USA)
Author(s)
Ottmann Jenny, Cengi Üsame, Breitinger Frank, Freiling Felix
Publication state
Published
Issued date
14/07/2023
Peer-reviewed
Oui
Language
english
Abstract
Memory dumps that are acquired while the system is running often contain inconsistencies like page smearing which hamper the analysis. One possibility to avoid inconsistencies is to pause the system during the acquisition and take an instantaneous memory dump. While this is possible for virtual machines, most systems cannot be frozen and thus the ideal dump can only be quasi-instantaneous, i.e., consistent despite the system running. In this article, we introduce a method allowing us to measure quasi-instantaneous consistency and show both, theoretically, and practically, that our method is valid but that in reality, dumps can be but usually are not quasi-instantaneously consistent. For the assessment, we run a pivot program enabling the evaluation of quasi-instantaneous consistency for its heap and allowing us to pinpoint where exactly inconsistencies occurred.
Keywords
Memory acquisition, Consistency, Quasi-instantaneous consistency, Instantaneous snapshot, Experiment, Live system memory capture
Create date
14/01/2024 14:13
Last modification date
15/01/2024 7:26
Usage data