Memory Architecture

Question 1

Computer buses

Answer 1

Communication channels running between motherboard and RAM

Question 2

Memory Management Unit (MMU)

Answer 2

Translates the address that the processor request to its corresponding address in main memory.

Question 3

Translation Lookaside Buffer (TLU)

Answer 3

Because a given translation can require multiple memory read operations, the processor uses a special cache. Prior to each memory access, the TLB is consulted before asking the MMU to perform costly operations.

Question 4

Memory Controller -

Answer 4

CPU relies on memory controller to manage communication with main memory.

Question 5

Direct Memory Access (DMA)

Answer 5

Provides a mechanism to directly access the contents of physical memory from a peripheral device w/out involving the untrusted software running on the machine.

Question 6

Linear Address Space

Answer 6

The single continuous address space that is exposed to a running program.

Question 7

Physical Address Space

Answer 7

Refers to the addresses that the processor requests for accessing physical memory. These addresses are obtained by translating the linear addresses to physical ones, using one or more page tables.

Question 8

Registers

Answer 8

In IA-32 architecture registers define a small amount of extremely fast memory which the CPU uses for temporary storage during processing.

Question 9

Paging

Answer 9

Provides the ability to virtualize the linear address space. It creates an execution environment in which a large linear address space is simulated with a modest amount of physical memory and disk storage. Each 32-bit linear address space is broken up into fixed-length sections called pages which can be mapped into physical memory in arbitrary order. IA-32 architecture supports pages of size 4 MB.

Question 10

Physical Address Extension (PAE)

Answer 10

Allows the processor to support physical address spaces greater than 4 GB.

Question 11

Interrupt Descriptor Table (IDT)

Answer 11

PC architectures provide a mechanism for interrupting process execution and passing control to a privileged mode software routine. The routines are stored in the IDT.

Question 12

Interrupt Service Routine (ISR)

Answer 12

The IDT contrains the address of the ISR that can handle the particular interrupt or exception. In the event of an interrupt or exception, the specified interrupt

Question 13

Thread

Answer 13

the basic unit of CPU utilization and execution. A thread is often characterized by a thread ID, CPU register set, and execution stack(s).

Question 14

Process

Answer 14

An instance of a program executing memory. A process’s thread shares the same code, data, address space, and operating system resources. Acts as a container for system resources that are accessible to its threads.

Question 15

CPU Scheduling

Answer 15

Operating system’s capability to distribute CPU execution time among multiple threads.

Question 16

Context Switching

Answer 16

Switching execution of one thread to another. During a context switch the OS suspends the execution of a thread and stores its execution context in main memory. The OS then retrieves the execution context of another thread from memory, updates the state of the CPU registers, and resumes execution where it was previously suspended.

Question 17

Use of Context Switching for Forensics

Answer 17

The saved execution context associated with suspended threads can provide valuable insight during memory analysis such as which section of code were being executed or which parameters were passed to system calls.

Question 18

Tracked Operating System Resources

Answer 18

Processes, threads, files, network sockets, synchronization objects, and regions of shared memory.

Question 19

Virtual Memory

Answer 19

OSs provide each process with its own private virtual address space. This abstraction creates a separation between the logical memory that a process sees and the actual physical memory installed on the machine. During execution the memory manager and the MMU work together to translate the virtual address into physical addresses.

Question 20

OS Memory vs. Private Memory

Answer 20

The range of addresses reserved for the OS is generally consisten across all processes, whereas the private ranges depend on the process that is executing. With the support of the hardware, the memory manager can partition the data to prevent a malicious or misbehaving process from reading or writing memory that belongs to kernel memory or other processes.

Question 21

Demand Paging

Answer 21

Mechanism that is commonly used to implement virtual memory–a memory management policy for determining which regions are resident in main memory and which are moved to a slower secondary storage when the need arises.

Question 22

Page File or Swap

Answer 22

Refers to a file or partition on an internal disk, the most common secondary storage. A demand paging implementation attemps to load only the pages that are actually needed into memory as opposed to entire processes.

Question 23

Locality of Reference

Answer 23

Based on the observation that memory locations are likely to be frequently accessed in a short period of time, as are their neighbors. To improve performance and stability, an OS’s memory manager has a mechanism for designating which regions of memory are paged versus those that must remain resident.

Question 24

Shared Memory

Answer 24

Commonly used to conserve physical memory. Instead of allocating multiple physical pages that contain the same data, you can create a single instance of the data in physical memory and map various regions of virtual memory to it.

Question 25

Copy-on-Write

Answer 25

Related to shared memory. Allows the memory manager to defer making a private copy of the data within a process’ address space until the memory has been modified. After the page is written to, the memory manager allocates the private copy of that page with the associated modifications and updates the virtual memory mappings for that process. The other processes are unaffected and still map to the original shared page.

Question 26

Heap

Answer 26

Application data that needs to be dynamically allocated is stored within the heap region. Unlike data allocated on the stack, which persists only for the scope of a function, the data allocated within the heap can persist for the lifetime of the process. A heap stores information whose length and contents may not be known at compile time.

Question 27

What data is found in the heap?

Answer 27

Data read from files on disk, data transferred over the network, and input typed into a keyboard.

Question 28

Accessing File System Storage Block

Answer 28

Unlike volatile main memory, OSs use secondary storage to manage persistent data objects that a user wants to access for a timeframe longer than the lifetime of a particular process. Data stored in files must be loaded into memory when they are needed. The OS also caches frequently accessed data in main memory to reduce the overhead associated with it.

Question 29

Compare Cached File Data to Data Stored on Disk

Answer 29

By comparing cached data with the data stored on disk, investigators can identify modifications made to memory-resident data. Additionally, investigators might find memory artifacts in crash dumps or hibernation files.

Question 30

Device Drivers

Answer 30

Typically communicate with the registers of the device controller. OSs use device drivers to implement virtual memory via a software device.

Question 31

I/O Controls (IOCTLs)

Answer 31

Allow a user application to communicate with a kernel mode device driver. The also provide a mechanism for third-party hardware devices and drivers to define their own interfaces and functionality. Memory forensics can detect modified or unknown IOCTLs and provide valuable insight into how attackers leverage them.

Question 32

Hibernation File Contains

Answer 32

Contains a compressed copy of memory that the system dumps to disk during the hibernation process. (Header: ‘PO_MEMORY_IMAGE’)

Question 33

Volatility Hibernation File Analysis Requirements

Answer 33

Every time you run a command, you need to decompress certain segments or you can decompress the entire memory dump once (using the imagecopy command)

Question 34

Pool Tag

Answer 34

specifies a four-byte value, typically composed of ASCII characters that should uniquely identify the code path taken to produce the allocation.