Memory Acquisition and Forensics Flashcards
Memory Forensics - In-System Acquisition:
Software based acquisition methods of volatile information including RAM and other system state may rely on processes in the target of observation or full on emulation may be an exception, but this is an extremely specialised case and not realistic as it requires resources several orders of magnitude larger than of the target system
Memory Forensics - External Acquisition:
Hardware-based acquisition methods can be designed in a way that the target is not altered
In-System (Live) Acquisition Limits:
Any in-system acquisition will alter the state of the system it intended to be acquired
Although it may be possible to gain an approximate understanding of the effects of this observation, there are several fundamental limits:
- The exact system state that would exist without the intervention of the acquisition system cannot be known a priori
- The presence of counter-forensic components may prevent accurate acquisition, even when using tamper-resistant components
For in-system acquisition some of he key problems arise from the fact that it is not possible to freeze the target system completely:
- Acquiring a memory snapshot takes time, even if one were to stop all concurrent processing units bar one and not all system state can be captured reliably
- As a result, software-based snapshots are normally not completely atomic, i.e. not all causality may be correctly represented in a memory image
Why do we need a write blocker:
The write blocker is a software or hardware component that prevents the computer from changing any data on the suspects hard drive
