A Framework for Live Forensics
Current techniques used by forensic investigators during incident response and search and seizure operations generally involve pulling the power on suspect machines and performing traditional dead box post-mortem analysis on the persistent storage medium. These cyber-forensic techniques may cause significant disruption to the evidence gathering process by breaking active network connections and unmounting encrypted disks. In contrast, live forensic tools can collect evidence from a running system while preserving system state. In addition to collecting the standard set of evidence, these tools can collect evidence from live web browser sessions, VPN connections, IM and e-mail. Although newer live forensic analysis tools can preserve active state, they may taint evidence by leaving footprints in memory. Current uses of live forensics in corporate incident response efforts are limited because the tools used to analyze the system inherently taint the state of disks and memory. As a result, the courts have been reluctant to accept evidence collected from volatile memory and law enforcement has been reluctant to use these techniques broadly. To help address these concerns we present Forenscope, a framework that allows an investigator to examine the state of an active system without inducing the effects of taint or forensic blurriness caused by analyzing a running system. Forenscope allows an investigator to gain access to a machine through a forced reboot. The key insight that enables this technique is that the contents of memory on many machines are preserved across a warm reboot. Upon reboot, Forenscope patches the OS state in residual memory to kill screen savers, neutralize anti-forensics software and bypass other authentication mechanisms. We show how Forenscope can fit into accepted workflows to improve the evidence gathering process. Forenscope fully preserves the state of the running system and allows running processes, open files, encrypted filesystems and open network sockets to persist during the analysis process. Forenscope has been tested on live systems to show that it does not operationally disrupt critical processes and that it can perform an analysis in less than 15 seconds while using only 125 KB of conventional memory. We show that Forenscope can detect stealth rootkits, neutralize threats and expedite the investigation process by finding evidence in memory. The techniques developed in Forenscope belong to a broader class of volatile forensic techniques that are becoming increasingly important in the face of new privacy measures and changes in the way storage systems are built. We are starting to see the limitations of traditional forensic approaches emerge as users shift to using more networked services, privacy guard software and non-magnetic storage technologies such as NAND and phase change memory that do not exhibit the same data residue properties as traditional disks. These trends help motivate the development of more sophisticated forensic techniques.
This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.
- The following copyright notice applies to all of the above items that appear in IEEE publications: "Personal use of this material is permitted. However, permission to reprint/publish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from IEEE."
- The following copyright notice applies to all of the above items that appear in ACM publications: "© ACM, effective the year of publication shown in the bibliographic information. This file is the author’s version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in the journal or proceedings indicated in the bibliographic data for each item."
- The following copyright notice applies to all of the above items that appear in IFAC publications: "Document is being reproduced under permission of the Copyright Holder. Use or reproduction of the Document is for informational or personal use only."