FATKit A framework for the extraction and analysis

FATKit:AFrameworkfortheExtractionandAnalysisofDigitalForensicDatafromVolatileSystemMemory∗NickL.Petroni,Jr.†AAronWalters‡TimothyFraser†WilliamA.Arbaugh†npetroni@cs.umd.eduawalters@4tphi.nettfraser@umiacs.umd.eduwaa@cs.umd.edu†UniversityofMaryland,CollegePark,MD20742,USA‡4tphiResearch,Vienna,VA22182,USAAbstractWepresenttheForensicAnalysisToolKit(FATKit)–amodular,extensibleframeworkthatincreasesthepracticalapplicabilityofvolatilememoryforensicanalysisbyfreeinghumananalystsfromtheprohibitively-tediousaspectsoflow-leveldataextraction.FATKitallowsanalyststofocusonhigher-leveltasksbyprovidingnovelmethodsforautomaticallyderivingdigitalobjectdefinitionsfromCsourcecode,extractingthoseobjectsfrommemoryimages,andvisualizingtheunderlyingdatainvariousways.FATKitpresentlyincludesmodulesforgeneralvirtualaddressspacereconstructionandvisualization,aswellasLinux-andWindows-specifickernelanalysis.Keywords:computerforensics,digitalevidence,digitalinvestigation,incidentresponse,volatilememoryanalysis1OverviewForthepurposesofincidentresponseandanalysis,volatilesystemmemoryrepresentsavaluableyetchal-lengingmediumforthecollectionofdigitalevidence.Whiletraditionaldigitalforensictechniqueshavefo-cusedondiskdrivesandothermorelastingdatasources[16,10,9,17],systemmemorycanprovideagreatdealofinformationaboutthesystem’sruntimestateatthetimeof,orjustafter,anincident[39,12,17].Detailssuchasrunningprocesses,loadedlibraries,logged-inusers,listeningnetworksockets,andopenfilesareallavailableinsystemmemory.Thisinformationcanprovideagreatdealofcontext,particularlywhenusedinconjunctionwithtraditionalforensicdatasources.Additionally,recentadvancesinreal-worldthreatshaveshownatrendtowardsmemory-onlymodificationwheneverpossible[27,29,5],therebyren-deringtraditionalpost-mortemanalysistechniquesblindtotheexistenceofintruders.Whiletheneedforaccesstoforensicdataextractedfromvolatilememoryhasbeendemonstrated[17,12],anumberofbarriersmakethisaccessdifficult.Systemmemoryisdifferentfromitsless-volatilecounterpartsinanumberofsignificantways.First,thetransientnatureofthedatamakesitmoredifficulttocollectwithoutmodifyingthedataitself,aqualityknownaspreservationwithintheforensicscommunity[17].Thelongerthesystemruns,themorememorychanges,possiblyreplacingcluesleftatthetimeoftheincident[17].However,stoppingthesystemfrom0NOTICE:Thisistheauthor’sversionofaworkthatwasacceptedforpublicationinDigitalInvestigation.Changesresultingfromthepublishingprocess,suchaspeerreview,editing,corrections,structuralformatting,andotherqualitycontrolmechanismsmaynotbereflectedinthisdocument.Changesmayhavebeenmadetothisworksinceitwassubmittedforpublication.AdefinitiveversionwassubsequentlypublishedinDigitalInvestigation,Volume3,Issue4,December2006,DOIinformation:10.1016/j.diin.2006.10.0011running(atleastinanyconventionalway)willlikelydestroymuchoralloftheevidence.Toaddresstheseissues,anumberofsystemshavebeenproposedtoaidwiththecollectionofdata(referredtohereas“images”)fromvolatilememory[21,23,25,12].Thesetechniques,whilenotperfect,havehighlightedanevenmorechallengingproblem,whichCarrierreferstoastheComplexityProblem[7].Theseconddifficultyfacingdigitalforensicanalysisofsystemmemoryisthecomplexityofcollecteddata.Onatypicalmulti-programmedsystem,asinglephysicaladdressspacefrequentlycontainsmachineinstructions,initializedanduninitializeddata,andarchitecture-specificdatastructuresforanumberofdif-ferentprograms.Additionally,manyprocessorssupportmemoryvirtualization,wherebyeachprogramoroperatingsystemmayviewthesamephysicaladdressspaceindifferentways[28].Sectionsofthisvirtualaddressspacemaybeinmemory,ondisk,ormaynotexistatall.Finally,dependingonimplementationspecifics,eachprogramcanorganizeitselfwithinitsvirtualaddressspaceinalmostarbitraryways.Differ-encesinprogramminglanguages,compilers,operatingsystemapplicationprogramminginterfaces(APIs),andsystemlibrariesmakeeachsystemslightlydifferent.Unlikedisks,wheredatahasapredefinedstructureforportabilityandbackwardscompatibility,mostinstancesofdatainmainmemoryarenotmeanttobeusedbydifferentversionsofdifferentprogramsinasingleconsistentmanner.Becauseofthesechallenges,thereiscurrentlynotoolorprocedureforperformingcomprehensiveanal-ysisoflow-leveldatacollectedfromarunningsystem.Furthermore,thefewtechniquesthatdoexistprovideeitherminimalinformation,asinthecaseofstringsearchesandchecksumcomparisons[17],orimplementthetimeconsuming,hand-codedreproductionofdatastructuresandalgorithmsutilizedbysystemsoftwaresuchastheoperatingsystem[2,22,4].Intoday’sworldoffrequentsoftwareupdates,suchhand-codedapproachesconstantlyrequiretheattentionofexpertsinordertokeepupwithnewreleases.Evensmallchanges,suchasbuild-timeconfigurationorcompilerflags,canchangethelow-levelfootprintofapro-gram’sdigitalobjects.Moreimportantly,extendingthesetofobjectsavailabletotheexpertforanalysisrequiresmorelow-levelcodingforeachextension.Thislackofsuitabletoolsforcesanalyststoexpendmuchtimeandresourcesonlow-leveldatagatheringratherthanmoreprofitablehigh-levelforensicinvesti-gation.Inanattempttoprovideamorecomprehens