A Proposal for an Integrated Memory Acquisition Mechanism
E. Libster and J. Kornblum
Operating Systems Review

Paper (pdf)     Bibtex

Volatile memory forensics has become increasingly prominent in forensic analysis and incident response. Unfortunately there is currently no forensically sound method of acquiring an image of a system's memory without attaching specialized hardware. This paper proposes the addition of a memory acquisition mechanism to the operating system, thereby removing the need to load an external program. The method minimizes the acquisition's impact on the system's state, as well as making it more difficult for malicious programs to avoid detection or interfere with the memory dump. The risks of allowing a full memory capture and some considerations on how this method would interact with rootkits are also discussed. of data recovered from a memory image, and would thus enable the first responder or forensic investigator to be more effective.

Home     Publications     Presentations     Utilities     Tools     Blog