this is for holding javascript data
Igor.Korkin deleted file 2.2.6. Other Software Approaches.tex
over 9 years ago
Commit id: e9650458780235634196d60b3f85df0b21792206
deletions | additions
diff --git a/2.2.6. Other Software Approaches.tex b/2.2.6. Other Software Approaches.tex
deleted file mode 100644
index dc34d2a..0000000
--- a/2.2.6. Other Software Approaches.tex
+++ /dev/null
...
\subsubsection{Other Software Approaches}
Among other tools for memory dump acquisition another approach was suggested with emulation tools such as VmWare, Vbox and others [10, 22]. This approach is based on suspending the virtual machine [9]. As a result the virtual machine paging file will contain the required data (*.vmem file in VmWare case). Malware is able to detect such emulation tools and hamper their work [59, 60].
Memory areas can also be acquired with the help of common operating system tools. Papers [10, 22, 23, 61] describe how to use pagefile.sys, crash dump file, hyberfil.sys for memory dump acquisition.
Page file is used for temporary storage of memory pages. According to papers [62, 63] the pagefile.sys does not contain full memory dump. To restore its content this file has to be merged with RAM dump, which poses additional difficulties.
Crash dump file (memory.dmp) will be created after a Windows system is crushed. This file contains information concerning the event details which caused the system crash. Microsoft developed a way to generate this file artificially – CrashOnCtrlScroll [64]. The disadvantage is that the crash dump is created only after the system is crashed, which is inconvenient for commodity systems. Crash dump file also has some other disadvantages [63].
Windows OS family starting with Vista adds support for hibernation mode. It causes creation of a hibernation system file (hyberfil.sys) which contains data about a current state of the system. On the one hand this file includes memory pages, but on the other hand it can hardly be used in deep forensic analysis. S.Vomel and F.Freiling [22] with reference to Russinovich point out that hyberfil.sys cannot be used to restore full RAM because of the limited quantity and quality of the saved pages file, this drawback is mentioned in [63].
There are a number of research projects based on the idea of ‘cold booting’, a method by S.Johannes, C.Michael [30]. Freezing memory chips, their removal from the computer and placing them into another PC to analyze memory content was suggested by Halderman [65] et al. Despite the fact that this idea has been extensively tested by several authors, it is still far from commodity production. This fact undoubtedly can be considered as a drawback [22, 63].
Another proof-of-concept project is BodySnatcher by Schatz which suggested using alternative OS injection on the top of the existing OS [66]. The main disadvantage of BodySnatcher is its poor usability, other disadvantages are described in the papers [63] and [22].
The latest approach to acquire a physical memory dump was offered by J. Stuttgen and M.Cohen in ‘Anti-Forensic Resilient Memory Acquisition’ [30]. With the help of rewriting page frame number in page table entries they got access to the required physical page. Their approach is resilient to modern anti-forensic techniques like hooking, but it is rather slow and vulnerable to rootkits which directly manipulate kernel pages table.
