RAM ANALYSIS AS ONE OF THE METHODS FOR COMPUTER FORENSICS

Authors

DOI:

https://doi.org/10.24025/2306-4412.4.2020.214993

Keywords:

digital transformation, higher education, web-oriented information system, modeling, design, system approach.

Abstract

Modern methods of computer forensics usually do not use RAM analysis. This is due to the significant complexity of this task. But at the same time, RAM is an interesting object of research. RAM contains the data structures, the data related to processes running on the system, and the kernel. This includes virtual memory of all processes, virtual memory of the kernel, handles, mutexes, network connections, and other resources that are currently being used by all processes and the kernel. All these data and data structures are available in the memory dump. Other than that, RAM can contain a data about decryption keys. Such information will be valuable for computer forensics. RAM analysis, as a separate method of computer forensics, generally requires to find solutions for some intermediate questions. The task of memory acquisition involves capturing the contents of RAM using a memory capture tool, which creates a memory dump file. The second step, memory analysis or forensics, involves an analysis of this memory dump file. The base aim of this article is finding and testing tools for RAM forensics. We have analyzed the most respected forensics books and latest scientific papers to perform these tasks. After this we have made own research and tests of some software. Forensics starts with data acquisition. Since we want to look at the memory, we need to use
memory acquisition tools such as virtual environment. Using tools of virtual environment, we can take a complete dump of RAM, which includes both the user-mode memory space for all the processes and the kernel-mode memory as well. The best tool, according to the authors, is the Oracle VM
VirtualBox, because it's useful, simple and free tool.
Analyzing the latest scientific works in the field of computer forensics, for the memory analysis the authors choose a tool, such as "volatility". "Volatility" is one of the popular pieces of open source software used. It is able to read suspended states of virtual machines. The advantage of such tools is that malware, such as rootkits, that try to hide themselves from user domains, can be extracted using memory forensic tools. The proposed tools allow experts to make forensics analysis of RAM and obtain information  that is not available from classical research methods. In this research we have tested functionality of virtual environment and various volatility plugins, that allow to get an idea of the events taking place in the operating system and the activities of some software. These methods and algorithms will be useful for the computer forensics in government forensic centers or for cybersecurity workers.

Author Biographies

R. L. Ptashkin, Cherkasy scientific research forensic centre MIA of Ukraine

Deputy head of department of computer and telecommunication research

O. O. Hozhyi, Cherkasy scientific research forensic centre MIA of Ukraine

Senior forensic expert of department of computer and telecommunication research

Yu. Yu. Obruch, Cherkasy scientific research forensic centre MIA of Ukraine

Head of department of computer and telecommunication research 

V. V. Pavlov, Cherkasy scientific research forensic centre MIA of Ukraine

Forensic expert of department of computer and telecommunication research 

R. A. Kalinichenko, Cherkasy scientific research forensic centre MIA of Ukraine

Chief forensic expert of department of computer and telecommunication research

References

T. Holt, A. Bossler, and K. Seigfried-Spellar, Cybercrime and Digital Forensics. NY, USA: Routledge, 2018. ISBN: 978-1-138-23872-5.

National Security and Defense Council of Ukraine (2016, Jan. 27). The decision "On the Cyber Security Strategy of Ukraine". [Online]. Available:https://zakon.rada.gov.ua/laws/show/96/2016#Text. Accessed on: Oct. 23, 2020.

Yu. Diogenes, and E. Ozkaya, Cybersecurity:Attack and Defense Strategies. Birmingham, UK: Packt Publishing Ltd., 2018. ISBN 978-1-78847-529-7. [in Russian].

A. Mohanta, and A. Saldanha, Malware Analysis and Detection Engineering. A Comprehensive Approach to Detect and Analyze Modern Malware. California, USA:Apress Media, 2020. ISBN-13: 978-1-4842-6192-7.

D. Yurichev, "Reverse Engineering for Beginners". [Online]. Available:https://beginners.re/RE4B-EN.pdf. Accessed on: Oct. 23, 2020.

X. Zhang, Digital Forensic Education. An Experiential Learning Approach. Switzerland:Springer, 2020.

R. Wong, Mastering Reverse Engineering. Birmingham, UK: Packt Publishing Ltd, 2018. ISBN 978-1-78883-884-9.

A. Аrnes, Digital Forensics. Hoboken, NJ:Wiley, 2018.

B. Dang, A. Gazet, and E. Bachaalany, Practical Reverse Engineering: x86, x64, ARM, Windows® Kernel, Reversing Tools, and Obfuscation. Indianapolis, IN: Wiley, 2014.

M. Sikorski, and A. Honig, Practical Malware Analysis. California, USA: No Starch Press, 2018. ISBN 978-1-59327-290-6.

K. Monappa, Learning Malware Analysis. Birmingham, UK: Packt Publishing Ltd.,2018. ISBN: 978-1-78839-250-1.

V. V. Pavlov, "Practice of downloading the operating system on digital media in virtual machine environment", Visnyk Cherkaskogo derzhavnogo tekhnologichnogo universytetu, no. 1, pp. 27-33, 2020. [in Ukrainian].

Oracle VM VirtualBox. User Manual. [Online]. Available: https://www.virtualbox. org/manual/UserManual.html. Accessed on:Oct. 23, 2020.

W. Stallings, Operating Systems: Internals and Design Principles, 9th ed. Pearson, 2018.

M. Hale Ligh, A. Case, J. Levy, and A. Walters, The Art of Memory Forensics:Detecting Malware and Threats in Windows, Linux, and Mac Memory. Hoboken, NJ:Wiley, 2018. ISBN: 978-1-118-82509-9

Downloads

Published

2021-01-21

How to Cite

Ptashkin, R. L. ., Hozhyi, O. O. ., Obruch, Y. Y. ., Pavlov, V. V. ., & Kalinichenko, R. A. . (2021). RAM ANALYSIS AS ONE OF THE METHODS FOR COMPUTER FORENSICS. Bulletin of Cherkasy State Technological University, (4), 39–47. https://doi.org/10.24025/2306-4412.4.2020.214993

Issue

No. 4 (2020)

Section

Information Technologies

URN

http://vtn.chdtu.edu.uaurn:2306:44554.2020.214993

License

Copyright (c) 2020 Роман Леонідович Пташкін, Олександр Олександрович Гожий, Юрій Юрійович Обруч, Вячеслав Віталійович Павлов, Руслан Анатолійович Калініченко The authors who publish in this journal agree to the following terms:

The authors reserve the right to authorship of their work and give the journal the right to first publish this work under the terms of the Creative Commons Attribution License CC BY-NC, which allows other persons to freely distribute published work with a mandatory reference to authors of the original work and the first publication of the work in this journal.

Authors have the right to conclude separate additional agreements for the non-exclusive distribution of the paper in the form in which it was published by this journal (for example, posting work in electronic repository or publishing as part of a monograph), provided that the link to the first publication in this journal is maintained.

The journal policy allows and encourages authors to post on the Internet (for example, in repositories of institutions or on personal websites) the manuscript of work, both before the submission of this manuscript to the editorial staff, and during its editorial work, as it contributes to the emergence of productive scientific discussion and positively affects the efficiency and dynamics of published work citation (see The Effect of Open Access).