Authors: Kyoungho Lee (Chonnam National University), Hyunuk Hwang (The Affiliated Institute of ETRI), Kibom Kim (The Affiliated Institute of ETRI), and Bongnam Noh (Chonnam National University)
DFRWS USA 2016
Memory analysis is increasingly used to collect digital evidence in incident response. With the fast growth in memory analysis, however, anti-forensic techniques appear to prevent it from performing the bootstrapping steps — operating system (OS) fingerprinting, Directory Table Base (DTB) identification, and obtaining kernel objects. Although most published research works try to solve anti-forensics, they deal only with one element among the three steps. Thus, collapse in any of the three steps using the suggested robust algorithms leads to failure in the memory analysis. In this paper, we evaluate the latest memory forensic tools against anti-forensics. Then, we suggest a novel robust algorithm that guarantees the bootstrapping analysis steps. It uses only one kernel data structure called KiInitialPCR, which is a kernel global variable based on the kernel processor control region (KPCR) structure and has many fields with tolerance to mutation. We characterize the robust fields of the KPCR structure to use them for OS fingerprinting, DTB identification and obtaining kernel objects. Then, we implement the KiInitialPCR-based analysis system. Therefore, we can analyze the compromised memory in spite of the interference of anti-forensics.