Skip to main content
SpringerLink
Log in

Towards Sound Forensic Acquisition of Volatile Data

  • Conference paper
Future Security (Future Security 2012)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 318))

Included in the following conference series:

Abstract

This work discusses shortcomings of current forensic acquisition tools aimed at securing volatile data. Recent developments in the area of anti-forensics have effectively disabled current forensic methods. The development of new methods towards sound forensic acquisition of volatile data is necessary as to keep up with the arms race. After an overview over current hardware-based and software-based acquisition methods, attacks and evasion techniques will be presented. Concluding, novel techniques are discussed to cope with anti-forensics.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Qihoo 360. Description of the Mebromi Rootkit, http://bbs.360.cn/4005462/251096134.html (last access September 2011)

  2. Carrier, B.D., Grand, J.: A hardware-based memory acquisition procedure for digital investigations. Digital Investigation 1(1), 50–60 (2004)

    Article  Google Scholar 

  3. U.S. Federal Court. Forcing Defendant to decrypt Hard Drive is unconstitutional, appeals Court Rules, http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf (last access March 2012)

  4. Cybermarshal. Mac Memory Reader, http://www.cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader (last access March 2012)

  5. Guillaume Delugrïœ Closer to metal: Reverse engineering the Broadcom NetExtreme’s Firmware. In: Hack.lu (2010)

    Google Scholar 

  6. Maximilan Dornseif. Owned by an iPod. In: PacSec (2004)

    Google Scholar 

  7. GNU. dd, http://www.gnu.org/software/coreutils/manual/html_node/dd-invocation.html (last access March 2012)

  8. Golovanov, S.: A unique ’fileless’ bot attacks news site visitors, http://www.securelist.com/en/blog/687/A_unique_fileless_bot_attacks_news_site_visitors (last access March 2012)

  9. Alex Halderman, J., Schoen, S.D., Heninger, N., William, et al.: Lest We Remember: Cold-boot Attacks on Encryption Keys. Commun. ACM 52, 91–98 (2009)

    Article  Google Scholar 

  10. HBGary. FastDump PRO, http://www.hbgary.com/fastdump-pro (last access March 2012)

  11. Passware Inc. Passware Kit Forensic, http://www.lostpassword.com/kit-forensic.htm (last access March 2012)

  12. Moonsols. Windows Memory Toolkit, http://www.moonsols.com/windows-memory-toolkit (last access March 2012)

  13. Müller, T., Freiling, F.C., Dewald, A.: TRESOR runs encryption securely outside RAM. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 17. USENIX Association, Berkeley (2011)

    Google Scholar 

  14. Pabel, J.: FrozenCache – Mitigating cold-boot Attacks for Full-Disk-Encryption Software. In: 27C3 (2010)

    Google Scholar 

  15. Pikewerks. Second Look, http://pikewerks.com/sl/ (last access March 2012)

  16. Plohmann, D., Gerhards-Padilla, E.: Case Study of the Miner Botnet. In: Proceedings of the 4th International Conference on Cyber Conflict (to appear, 2012)

    Google Scholar 

  17. Rutkowska, J.: Beyond The CPU: Defeating Hardware Based RAM Acquisition. In: Black Hat DC 2007 (2007)

    Google Scholar 

  18. Butler, J., Sparks, S.: Shadow Walker – Raising The Bar For Windows Rootkit Detection. Phrack 11(59) (2005)

    Google Scholar 

  19. Guidance Software. Encase Forensic, http://www.guidancesoftware.com/forensic.htm (last access March 2012)

  20. Symantec. Description of Trojan.Badminer (2011), http://www.symantec.com/business/security_response/writeup.jsp?docid=2011-081115-5847-99&tabid=2 (last access September 2011)

  21. Volatile Systems. Volatility, https://www.volatilesystems.com (last access September 2011)

Download references

Author information

Authors and Affiliations

  1. Fraunhofer FKIE, Germany

    Sebastian Eschweiler & Elmar Gerhards-Padilla

Authors
  1. Sebastian Eschweiler
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Elmar Gerhards-Padilla
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute of Computer Science, Osnabrück University, Albrechtstr. 28, 49076, Osnabrück, Germany

    Nils Aschenbruck

  2. Fraunhofer FKIE, Neuenahrer Straße 20, 53343, Wachtberg, Germany

    Peter Martini  & Jens Tölle  & 

  3. Institute of Computer Science, University of Bonn, 4, Friedrich-Ebert-Allee 144, 53113, Bonn, Germany

    Michael Meier

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Eschweiler, S., Gerhards-Padilla, E. (2012). Towards Sound Forensic Acquisition of Volatile Data. In: Aschenbruck, N., Martini, P., Meier, M., Tölle, J. (eds) Future Security. Future Security 2012. Communications in Computer and Information Science, vol 318. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33161-9_43

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33161-9_43

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33160-2

  • Online ISBN: 978-3-642-33161-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation