Authors: Johannes Stüttgen (University of Erlangen-Nuremberg) and Michael Cohen (Google)



Memory analysis has gained popularity in recent years proving to be an effective technique for uncovering malware in compromised computer systems. The process of memory acquisition presents unique evidentiary challenges since many acquisition techniques require a code to be run on a potentially compromised system, presenting an avenue for anti-forensic subversion. In this paper, we examine a number of simple anti-forensic techniques and test a representative sample of current commercial and free memory acquisition tools. We find that current tools are not resilient to very simple anti-forensic measures. We present a novel memory acquisition technique, based on direct page table manipulation and PCI hardware introspection, without relying on operating system facilities – making it more difficult to subvert. We then evaluate this technique’s further vulnerability to subversion by considering more advanced anti-forensic attacks.