Model And Methods Research On Computer Live Forensics Based On Physical Memory Analysis

The development of computer and information technology has greatly promoted social progress. Meanwhile, it has also brought the issue of computer related crimes. Now, computer forensics has emerged as a distinct discipline in response to increasing occurrence of computer involvement in criminal or civil activities. Traditionally, computer forensics technologies are divided into two categories:off-line mode and on-line mode. Off-line mode techniques deal mainly with the capture and analysis of data on permanent storage media when the computers or digital devices are powered off and are dominant trends in the last dozen years. However, with the exponentially growth in the storage capacity of electronic data and the repaid development of new information technologies including cloud computing and mobile Internet over the years, the classical data-oriented off-line mode of computer forensics, with disk imaging as its main character, faces more and more challenges and has not been adequate in many situations. To deal with the challeanges, on-line mode of computer forensics, which is more often called live forensics, has been proposed and has received significant attention in the area of computer forensics.The core task of live forensics is to gather data or digital evidence from running systems, including the running system processes, threads, loaded drivers, network connection status, opening files and other system traces in computers. The volatile data, which reside in a computer’s physical memory, are key factors in information security analysis and intrusion forensics. The information will be lost when the computer is down or after system restart. In particular, physical memory is the only resource to obtain valuable digital evidence in some cases, such as encrypted file systems on the scene. As a relative new research area, current approaches for live forensics have still many deficiencies that affect their effectiveness and authority. The main deficiencies are shown as follows:(1)New live forensics approaches need to be adopted to improve the credibility of digital evidence acquired by live forensics.The trustworthy of digital evidence is the key issue of computer forensics research. Because the classic approaches of live forensics are not rigorous in the evidence collection phase, it is hard to prove the integrity and fidelity of obtained evidence.(2) New live forensics models need to be established and improved following the improvement of technology.The model of computer forensics determines the general idea of forensics methods, techniques and research work. Current forensic models are all based on traditional live forensics technologies. In this way, data analysis, data collection, data preservation, etc., are mixed together. As a result, it is difficult to clearly define the interfaces between specific forensics stages and their key elements.Since the live forensics is executed in a suspect computer, the tools will certainly change the originality of the collected evidence. It is necessary to evaluate this affection in thorough computer forensics.(3) New technology and new idea need to be employed to solve technical problems that challenge current computer forensics.There are a few of very difficult problems in current practices of computer forensics, such as collection of volatile data on a computer running screen-saver under password protection, decipher WEB mail password, BIOS password, or Hard Disk Password, Instant Messaging program forensics, and so on. These challenges need to be overcome by new technologies and ideas.Aiming at the problems mentioned above, this dissertation focuses on refining computer forensics theory. From perspectives of obtaining and analyzing computer physical memory image, this dissertation deeply studies the methods and models of live forensics. In order to make the live forensics methods based on physical memory analysis have more practical significance, we focus mainly on two issues. Firstly, how to calculate the difference between the actual memory and acquired memory image, and how to evaluate the effect which the difference makes on the credibility of the live evidence? Secondly, we need credible methods for physical memory acquisition and analysis (including Windows and Mac OS physical memory analysis). Solution of these two problems is a prerequisite for live forensics based on memory analysis. If the first one cannot be resolved, the live evidence acquired by memory forensics will not be accepted. Similarly, if the second one cannot be resolved, i.e., we cannot acquire and analyze physical memory, then the live evidences will not be extracted from memory images and the proposed live forensics method will be meaningless. The contributions of this dissertation are shown as below:(1) A new live forensics idea, which makes it possible to evaluate the credibility of live forensics, is proposed by acquiring and analyzing physical memory image of computers. The digital evidence by traditional approaches of live forensics has poor credibility because the approaches need to run a variety of forensics software on the suspect computer directly. In this dissertation, the trustworthiness of live forensics only depends on the point of acquisition of physical memory image by analyzing the physical memory. It makes the evaluation of credibility of digital evidence of live forensics possible. On this basis, the credibility of evidence of live forensics is studied. The research results can effectively improve the credibility and probative force for live forensics evidence. The work will promote the development of computer forensics technology along standardized and scientific line.(2) A new live forensics model is proposed based on analysis of physical memory. Compared with the traditional model, the new model is more suitable to requirements of physical evidence. It is difficult to draw a distinction among different forensics phases for traditional live forensics model. Since the analysis of physical memory is employed, the phases of the proposed model can be naturally distinguished. It is easy to verify the correctness of analysis because investigation and analysis all depend on the physical memory image file in the proposed model. Therefore, the proposed model is more suitable to requirements of physical evidence than traditional ones.(3) A new live forensic method is proposed based on analysis of physical memory. The new method can help to minimize the impact of computer forensics tools for the target system. Because specific memory acquiring tools are developed to obtain physical memory image in a shorter period, the method has small effect on the target system. It is efficient to minimize the effects of forensics tools for the target system since the method only has effect on the memory access phase of target system. (4) A new windows memory analysis method based on KPCR is proposed. The new method overcomes the problem of addresses translation from virtual address to physical address for different versions of Microsoft Windows OS. This dissertation also develops the memory reader-writer based on port1394and that based on PCIE. Some difficult practical problems can be solved by these proposed technologies.(5) The problems of data changes and its credibility evaluation in the memory acquisition process are studied. This dissertation presents a new research idea. In the new idea, memory acquisition process is considered as one measurement of memory data, and certain system uncertainties can be measured in order to evaluate system memory changes. By analyzing the results of other researchers for numerous experiments, the principles of reducing experimental errors are obtained. Finally, the calculation method of systematic errors and the calculation method of the system process errors are given. Analysis shows that live evidence, which is collected by the live forensic method based on analysis of physical memory, is credible.