Return to search

An analysis of Linux RAM forensics

During a forensic investigation of a computer system, the ability to retrieve volatile information can be of critical importance. The contents of RAM could reveal malicious code running on the system that has been deleted from the hard drive or, better yet, that was never resident on the hard drive at all. RAM can also provide the programs most recently run and files most recently opened in the system. However, due to the nature of modern operating systems, these programs and files are not typically stored contiguously-which makes most retrieval efforts of files larger than one page size futile. To date, analysis of RAM images has been largely restricted to searching for ASCII string content, which typically only yields text information such as document fragments, passwords or scripts. This thesis explores the memory management structures in a SUSE Linux system (kernel version 2.6.13-15) to make sense out of the chaos in RAM and facilitate the retrieval of files/programs larger than one page size. The analysis includes methods for incorporating swap space information for files that may not reside completely within physical memory. The results of this thesis will become the basis of later research efforts in RAM forensics. This includes the creation of tools that will provide forensic analysts with a clear map of what is resident in the volatile memory of a system.

Identiferoai:union.ndltd.org:nps.edu/oai:calhoun.nps.edu:10945/2933
Date03 1900
CreatorsUrrea, Jorge Mario.
ContributorsEagle, Christopher S., Dinolt, George, Naval Postgraduate School, Department of Computer Science
PublisherMonterey, California. Naval Postgraduate School
Source SetsNaval Postgraduate School
Detected LanguageEnglish
TypeThesis
Formatxiv, 73 p. : ill. ;, application/pdf
RightsApproved for public release, distribution unlimited

Page generated in 0.0016 seconds