Embed Size (px)
Citation preview
RAM FORENSICS AGAINST CYBER CRIMES
INVOLVING FILES
Mohammed I. Al-SalehJordan Univ. of Science and Tech.
Computer Science Dept.P.O. Box 3030
Irbid, Jordan [email protected]
Ziad A. Al-SharifJordan Univ. of Science and Tech.
Software Engineering Dept.P.O. Box 3030
Irbid, Jordan [email protected]
Abstract
Cyber crimes are explosively increasing as a resultof the wide deployment of the Internet. Breakinginto others’ machines to steal their valuable infor-mation (such as credit card numbers) or execute un-wanted code, threatening innocent people, piratingcopyrighted software, and distributing malicious soft-ware are examples of such crimes. Digital Forensics(DF) techniques are utilized to accuse cyber crimi-nals and prove them guilty. This paper observes thatmany different violations explicitly or implicitly in-volve files. A file is a logical entity that might oc-cupy different physical locations in the system. Ex-plicit actions that involve files include directly down-loading them from the Internet resources or copyingthem from external storage devices. On the otherhand, viewing some entities (such as pictures, au-dios, videos, etc.) in web browsers might implicitlyinvolve files. Using peer-to-peer networks (e.g., Bit-Torrent), however, requires partitioning a file into dif-ferent pieces and distributing them among the partic-ipating peers. The requesting peer can download thepieces from the other peers. In this case, the involvedfile is physically partitioned and downloaded from dif-ferent locations. Finding files in criminals’ machinescan be used as an evidence against them. This pa-per shows that, in many cases, violators’ actions canbe thought of as if they are involving files. We de-sign different experiments and examine the state of
the physical memory (RAM) after an activity thatexplicitly or implicitly involves a file. We show thatall or some portions of the files can be found in theRAM memory. This research considers the way theOperating System (OS) manages the RAM memoryand how it loads data into it. Furthermore, becausethe OS allocates memory spaces for processes in apage granularity, this paper shows that searching forfiles can be effectively and efficiently conducted ina page granularity. Finally, this paper shows thatsearching for a viewed (rather than downloaded) filein the RAM memory might require searching for itsconverted format while being viewed.
Keywords. RAM, Paging, Address Space, Torrent,Cyber Crimes
1 Introduction
The Internet has become an essential part of peo-ple’s daily lives. It is used for different purposes suchas communication, business, education, research, andsocial networks. Because the Internet is widely acces-sible, people with malicious intention misuse it. Cy-ber crimes include stealing digital properties (such aspasswords, credit card numbers, personal informa-tion, copyrighted materials), penetrating machinesand executing codes without authorization, flood-ing networks with bad traffic, spamming and fishingemails, impersonating real entities, spying on peo-
ISBN: 978-0-9853483-7-3 ©2013 SDIWC 189
ple’s activities, and destroying valuable information.Many security techniques have been developed to pre-vent and detect cyber attacks. However, there is nosuch a method to stop all kinds of attacks. Further-more, cyber criminals adapt to newly developed se-curity techniques. Therefore, security is an ongoing,required practice. Had a cyber crime taken place, se-curity countermeasures would have been conducted.Among these countermeasures is the digital foren-sics (DF), which collects the required evidences toprove a criminal guilty under the law. DF can be ap-plied on different contexts: computers, smart phones[23, 22, 9], and networks [20, 2, 14].
When a suspect’s machine is taken over by LawEnforcement Agencies (LEA), different componentswill be examined. Investigators usually consider per-manent storage devices such as hard drives [13, 8, 11]and solid state drives [12] to extract evidences abouta crime. Such evidences could be a non-completelydeleted files or silently logged information. Thephysical memory (RAM), though volatile and non-deterministic, is used to recover data and find evi-dences [10, 19, 17, 25]. The OS allocates memoryspaces for applications on demand. The RAM con-tents may stay for a long time if the relevant memoryspaces are intact [1]. Both the application-level andOS-level information (such as processes and threads)can be found in the RAM memory [18, 16]. Thisinformation can be used by investigators to recoverdata and induce evidences.
Searching the RAM memory for specific data istrivial if the data stored sequentially in the RAMmemory. This is usually the case when the data size issmall. In this case, sequential search is good enough.In contrast, big-size data occupy several RAM mem-ory pages that are not necessarily consecutive. Thisis because the OS applies the paging scheme (see Sec-tion 2.1) to manage processes’ Virtual Address Space(VAS) and allocate memory spaces from the RAMmemory.
This paper sheds light on how to search the RAMmemory for criminals’ activities that involve big-size files. These files will naturally span severalRAM pages. We design representative experimentsthat demonstrate several criminals’ activities involv-ing files and show our findings.
Figure 1: An example mapping between the vir-tual pages and physical page frames using a pagetable. The VAS, physical memory, and page sizesare 64K, 32K, and 4K, respectively. The drawing isreproduced from [21].
This paper is organized as follows. First, we ex-plain the paging scheme in OSes and our investiga-tion model in Section 2. This is followed by Section 3that explains our experiments, and then our resultsare shown in Section 4. A discussion and future workare in Section 5. Then related work and the conclu-sion follow.
2 Paging and InvestigationModel
2.1 Paging
Modern Operating Systems (OSes) protect them-selves from other processes and protect processesfrom each other by applying the notion of virtual ad-dresses. Each process has its own VAS. The Mem-ory Management Unit (MMU) allocates virtual pagesfrom a process VAS in a page granularity. For exam-ple, VirtualAllocate() and mmap() system calls areused to allocate virtual pages for calling processes inWindows and Linux, respectively [15]. The MMUin an OS (with hardware support) translates virtual
ISBN: 978-0-9853483-7-3 ©2013 SDIWC 190
addresses into its corresponding physical addressesusing page tables. The physical memory (RAM) islogically divided into chunks of equal size, which arecalled page frames. Figure 1 shows how virtual pagesare mapped into physical page frames using a pagetable. The figure also shows that consecutive vir-tual pages are not necessarily mapped to consecutivepage frames. Consequently, as this paper concludes,searching for files in the RAM memory can be effi-ciently and effectively conducted in a page granular-ity.
2.2 Investigation Model
Our investigation model is shown in Figure 2. Acriminal gets an illegal copy of a file by one of fourways: explicitly downloading the file from the Inter-net, viewing the file in a web browser, downloadingthe file using a peer-to-peer network (such as Bit-Torrent), or copying the file from an external storagedevice (such as a flash memory). An investigator re-quires an evidence to prove that the criminal has gota copy of the file by inspecting the criminal’s RAMmemory. In our model, the investigator realizes thatfiles’ contents are not necessarily consecutive in theRAM memory. Therefore, the process of recoveringfiles in the RAM memory has to consider the pagingtechnique used by the OS.
3 Experiments
Figure 3 shows the basic setup for our experiments.We use two virtual machines; one runs Linux Ubuntu10.04 and the other runs Windows 7. Each VM has512MB RAM memory. The RAM memory of theVM is dumped after running each experiment. Theexperiments demonstrate different scenarios of get-ting a file. We want to check if the way of getting afile has any effect on how the OS will load it in theRAM memory. File searching is affected by how afile is stored in the memory.
1. Directly downloading a file from the In-ternet: In this experiment, we download a file(putty.exe: the well-known SSH client) into both
Figure 2: Investigation model: the violator canget a file by different means; directly downloadingit from the Internet, viewing it in a web browser,downloading it from a peer-to-peer network (suchas BitTorrent), or copying it from external storagedevice. The RAM memory is used as intermediatestorage. A file must be divided into several portionsto fit RAM pages. Investigators check the criminal’sRAM memory to find the file portions.
Figure 3: Basic experimental setup: two virtualmachines (Linux Ubuntu 10.04 and Windows 7) areused to conduct our experiments. Each VM has 512MB RAM.
ISBN: 978-0-9853483-7-3 ©2013 SDIWC 191
Linux and Windows machines. We use wgetcommand to download the file in the Linux ma-chine and the Save Link As command in the In-ternet Explorer of the Windows machine. Thisexperiment represents the classical way of get-ting an Internet file. The RAM memory wasdumped right after the download was complete.The experiment was repeated 10 times to ensurethe repeatability. The machines were restartedbetween the different runs. Furthermore, thedownloaded file was deleted before each restart.
2. Viewing a picture in a website using a webbrowser: In this experiment, we open a websitethat has some text and a picture. We conductthe experiment in both Linux and Windows. Weuse Firefox browser in the Linux machine andInternet Explorer in the Windows machine tocheck whether browsers on different OSes be-have differently. The goal of this experiment isto search the RAM memory for the picture dis-played by web browsers. This experiment repre-sents another common on-the-fly way of gettinga file. The RAM memory was dumped right af-ter the relevant website was completely loaded.The experiment was repeated 10 times to ensurethe repeatability. The machines were restartedbetween the different runs. Furthermore, the his-tories (URL, cookies, cache, etc.) of the browserswere completely cleared before each restart.
3. Copying a file from a flash memory: Peo-ple usually share files and multi-media materi-als with each other by different means such asflash memories, CDs, DVDs, and external harddrives. In this experiment, we search for filesthat are copied from a flash memory. We con-duct the experiment in both Linux and Windowsmachines. The RAM memory of each machinewas dumped right after the copy was complete.The experiment was repeated 10 times to ensurethe repeatability. The machines were restartedbetween the different runs. Furthermore, thecopied file was deleted before each restart.
4. Downloading a file using BitTorrent: Here,we download a file (a pdf file) using BitTorrent,
the well-known peer-to-peer network. We con-duct this experiment in the Windows machine.We used BitTorrent version 7.7. This experi-ment represents a decentralized way of down-loading a file. Each peer in the network will havesome pieces of the file that are required to beshared. The file pieces are downloaded into thesystem in arbitrary order. The RAM memorywas dumped right after the download was com-plete. The goal of this experiment is to searchfor files which are downloaded using BitTorrent.
5. Viewing a picture file using a pictureviewer: In the above experiments, we search theRAM memory for non-changed files’ contents. Incontrast, a file might be converted into anotherformat while being viewed. For example, a pic-ture can be encoded in different formats (JPEG,PNG, JIF, etc.) and then it needs to be de-coded to be displayed. This experiment searchesthe RAM memory for a displayed JPEG picture.We usedImage Viewer 3.2.1 in the Linux vir-tual machine to open the JPEG picture. Afterthat, the RAM memory was dumped. We usedPython Image Library (PIL) to get the raw dataof the sameJPEG picture in the host machine.Finally, we search the dumped memory for theraw data of the picture, rather than its originalformat.
It is obvious from the above experiments that wewant to check how to search the RAM memory forfiles in different scenarios. We present our findings inthe next section.
4 Results
In this section we present the results of the experi-ments explained in Section 3. We aim at showing thatsearching the RAM memory for files is effectively andefficiently conducted in a page granularity.
Figure 4 shows the results for the first experimentin which we download a file from the Internet andthen search the RAM memory for the file after thedownload is complete. The figure shows that all pagesof the downloaded file (118 pages) are completely
ISBN: 978-0-9853483-7-3 ©2013 SDIWC 192
Figure 4: Directly downloading a file from the In-ternet.
Figure 5: File page alignment possibilities in theRAM memory.
Figure 6: Viewing a picture in a website using aweb browser.
found in the RAM memories of both Linux and Win-dows machines . Figure 5 shows the different possi-bilities of file page alignments in the RAM memory.In case a, the file page occupies a RAM page. Whilein cases b and c, the file page has its first portionstored in one page and the other one stored in thenext or arbitrary RAM page, respectively. In our re-sults, we found that file pages were actually alignedto the RAM pages. Having the file pages aligned toRAM pages makes the searching process much effi-cient. When comparing a file page to a RAM page,then they might be equal or not. If they are notequal, then the search process continues to comparethe file page to the next RAM page, rather than try-ing to find the file page in any place (i.e., viewingthe RAM memory as one flat string), which requirestrying to find a match starting from the next RAMbyte. This is reflected in Figure 4 where the aver-age times (for 10 different runs) to find a file page inthe RAM memory are 0.11 second and 0.10 second inLinux and Windows, respectively.
Figure 6 shows the results for the second experi-ment, where we open a website that has a pictureand then we search the RAM memory for that pic-ture. The Figure shows that only 1 page out of 186was not found. This happened in both Linux andWindows machines, which they run Firefox and In-
ISBN: 978-0-9853483-7-3 ©2013 SDIWC 193
Figure 7: Copying a file from a flash memory.
ternet Explorer, respectively. The Figure also showsthe efficiency of searching in a page granularity tech-nique, where the average times (for 10 different runs)to find a file page in the RAM memory is 0.08 secondin both Linux and Windows. It is obvious that thepicture pages were aligned to RAM pages (see case ain Figure 5).
Figure 7 shows the results for the third experiment,where we copy a file from a flash memory into thehard drives of both Linux and Windows machines.All the file pages (118 pages) were completely foundin both machines. The average times (for 10 differentruns) to find a file page in the RAM memory are0.10 second and 0.07 second in Linux and Windows,respectively.
Figure 8 shows the results for the fourth experi-ment, where we download a file using a BitTorrent.This experiment is different from the above exper-iments in that the file is downloaded in arbitrarypieces, rather than as one unit. The BitTorrent ap-plication then collects the downloaded pieces to con-struct the file. The Figure shows that 341 (out of429) pages were found in the RAM memory after thedownload is complete. The BitTorrent applicationkeeps a list of files even after the download is com-plete. If the downloaded file is deleted from the sys-tem and its information is removed from the BitTor-rent list, then only 7 pages are found. The more the
Figure 8: Downloading a file using BitTorrent.
not-found pages the higher average search time perpage. This is because we stop searching for a pagewhen it is found. We have to continue searching forthe page until it is found or we check against all theRAM memory pages.
Figure 9 shows the results for the last experiment,where we search the RAM memory for a viewedJPEG picture. We use Linux Image Viewer 3.2.1to view the picture. The RAM memory is dumpedright after viewing the picture. In the host machine,we use the PIL library to analyze the picture and ex-tract its raw data format (decoded format). Then,the dumped memory was searched for the raw datausing the same technique we used for file searching.This technique seems to be not working here (0 pagesfound). This is because the raw data we search foris not a file that the OS will align its pages to RAMpages, as in the previous experiments. However, be-cause the raw data are consecutive, we might stillfind them in the RAM memory in a consecutive or-der (see case b in Figure 5). 63 pages (out of 66)pages were found when searching for the raw data ina flat RAM. The figure also shows the increase in theaverage time per page in the case of searching for araw data page in a flat RAM, which emphasises onour early observation.
In summary, searching the RAM memoryfor files can be effectively and efficiently con-
ISBN: 978-0-9853483-7-3 ©2013 SDIWC 194
Figure 9: Viewing a picture file using a pictureviewer.
ducted in a page granularity, where a file pageis compared against a RAM page to find amatch. If the match is not found, then thesearching process resumes from the next RAMpage rather than from the next RAM byte.Furthermore, if search data are not files butconsecutive, then searching for the data pagescan be effectively conducted in a flat RAMwith performance degradation.
5 Discussion and future work
Event though the approach we provide in this paperis effective and efficient, there is still some space forimprovement. The searching process can be easilyparalleled. Searching for each file page can be donein parallelized using threading or other parallel pro-gramming paradigms, such as Message Passing In-terface (MPI). Another direction to enhance the per-formance is to compute a hash value (checksum) foreach RAM and file pages and then compare the hashvalues for equality. Enhancing the performance ofthe searching process is a future work.
The last experiment (where we search for a dis-played picture) opens the door for future researchdirections that involve searching for watched videos
in the RAM memory. A video file might be con-verted from its original format into another while be-ing watched.
Our experiments have been conducted in lightlyloaded machines, which have little impact on theRAM memory. A violator might manage to use hermachine very heavily to hide as much informationfrom the RAM memory as possible. However, find-ing few file pages in the RAM memory can be usedas an evidence against the violator. Furthermore,this research assumes that the violator machine isnot shut down or restarted for that the RAM mem-ory is volatile. Finally, we assume that no usefulstructures, such page tables and Virtual Address De-scriptors (VAD), are present at the search time. Evenif these structures are present, they might not pointto valid pages any more.
6 Related work
Most system activities need to go through the RAMmemory in order accomplish their tasks. Inspectingthe RAM memory is useful in DF for the wealth ofinformation that resides there. The lifetime, sensitiv-ity, and security of the RAM memory contents havebeen studied by different researchers [1, 10, 19, 17,25, 18, 4, 7, 6, 5, 3].
The OS uses some data structures to keep track ofthe running and terminated processes. [16] searchesthe RAM memory for these structures. Processesstructures along with page tables, if found, can beused to recover process-related information, such asmemory-mapped files. [24] recover files based on thestructures of processes and page tables. However, thestructures they use might not exist in the first placeor might not point to valid memory pages any more.Our work is orthogonal to their work where we com-pletely ignore the existence of these structures. Wealso test against several real-world scenarios of ex-changing and opening files.
ISBN: 978-0-9853483-7-3 ©2013 SDIWC 195
7 Conclusion
As the Internet plays a major role in connecting peo-ple together, cyber criminal misuse it by violatingsecurity and privacy policies. Cyber security triesto find effective techniques to prevent and detect cy-ber attacks. Digital Forensics (DF) concerns aboutfinding evidences to prove cyber criminals guilty un-der the law. Digital devices are inspected by dif-ferent DF techniques to collect evidences. The RAMmemory has a wealth of forensics information becausemost operations need to go through it. Therefore,the RAM memory needs to be carefully analyzed.Files are abstract units of data which people usu-ally exchange by several means: direct or peer-to-peerdownload, copy from an external resource, or view ina web browser. When files are involved in a cybercrime, then a proof of owning or exchanging themneeds to be presented. File searching in the RAMmemory is challenging for that the OS-level struc-tures which point to them might not be present in theRAM memory or point to invalid memory locations.This paper utilizes the way the OS manages the RAMmemory to search for files. We show that file pagescan be effectively and efficiently searched for in theRAM memory in a page granularity. Furthermore,we show that accusing a criminal of displaying a filerequires searching for its possibly converted formatwhile being viewed.
References
[1] M. I. Al-Saleh and Z. A. Al-Sharif. Utilizing datalifetime of tcp buffers in digital forensics: Em-pirical study. Digital Investigation, (0):–, 2012.
[2] R. Beverly, S. Garfinkel, and G. Cardwell. Foren-sic carving of network packets and associateddata structures. Digital Investigation, 8(Supple-ment 1):S78 – S89, 2011. The Proceedings ofthe Eleventh Annual DFRWS Conference, 11thAnnual Digital Forensics Research Conference.
[3] P. Broadwell, M. Harren, and N. Sastry. Scrash:a system for generating secure crash informa-tion. In Proceedings of the 12th conference
on USENIX Security Symposium - Volume 12,SSYM’03, pages 19–19, Berkeley, CA, USA,2003. USENIX Association.
[4] J. Chow, B. Pfaff, T. Garfinkel, K. Christopher,and M. Rosenblum. Understanding data life-time via whole system simulation. In Proc. 13thUSENIX Security Symposium, August 2004.
[5] J. Chow, B. Pfaff, T. Garfinkel, and M. Rosen-blum. Shredding your garbage: reducing datalifetime through secure deallocation. In Proceed-ings of the 14th conference on USENIX SecuritySymposium - Volume 14, SSYM’05, pages 22–22,Berkeley, CA, USA, 2005. USENIX Association.
[6] D. Engler, D. Y. Chen, S. Hallem, A. Chou,and B. Chelf. Bugs as deviant behavior: a gen-eral approach to inferring errors in systems code.In Proceedings of the eighteenth ACM sympo-sium on Operating systems principles, SOSP ’01,pages 57–72, New York, NY, USA, 2001. ACM.
[7] T. Garfinkel, B. Pfaff, J. Chow, and M. Rosen-blum. Data lifetime is a systems problem.In Proceedings of the 11th workshop on ACMSIGOPS European workshop, EW 11, New York,NY, USA, 2004. ACM.
[8] P. Gutmann. Secure deletion of data from mag-netic and solid-state memory. In Proceedings ofthe 6th conference on USENIX Security Sympo-sium, Focusing on Applications of Cryptography- Volume 6, SSYM’96, pages 8–8, Berkeley, CA,USA, 1996. USENIX Association.
[9] M. I. Husain, R. Sridhar, S. Goel, O. Akan,P. Bellavista, J. Cao, F. Dressler, D. Ferrari,M. Gerla, H. Kobayashi, S. Palazzo, S. Sahni,X. S. Shen, M. Stan, J. Xiaohua, A. Zomaya,and G. Coulson. iForensics: Forensic Analysis ofInstant Messaging on Smart Phones, volume 31,pages 9–18. Springer Berlin Heidelberg, 2010.
[10] H. Inoue, F. Adelstein, and R. A. Joyce. Vi-sualization in testing a volatile memory forensictool. Digital Investigation, 8(Supplement):S42–S51, 2011.
ISBN: 978-0-9853483-7-3 ©2013 SDIWC 196
[11] M. Kiley, S. Dankner, M. Rogers, I. Ray, andS. Shenoi. Forensic Analysis of Volatile InstantMessaging, volume 285, pages 129–138. SpringerBoston, 2008.
[12] C. King and T. Vidas. Empirical analysis of solidstate disk data retention when used with con-temporary operating systems. Digital Investiga-tion, 8, Supplement(0):S111 – S117, 2011. TheProceedings of the Eleventh Annual DFRWSConference. 11th Annual Digital Forensics Re-search Conference.
[13] J. L. Lyle. Nist cftt: Testing disk imaging tools.IJDE, 1(4), 2003.
[14] E. S. Pilli, R. Joshi, and R. Niyogi. Article:A generic framework for network forensics. In-ternational Journal of Computer Applications,1(11):1–6, February 2010. Published By Foun-dation of Computer Science.
[15] M. E. Russinovich and D. A. Solomon. MicrosoftWindows Internals, Fourth Edition. 2004.
[16] A. Schuster. Searching for processes and threadsin microsoft windows memory dumps. DigitalInvestigation, 3(Supplement-1):10–16, 2006.
[17] A. Schuster. The impact of microsoft windowspool allocation strategies on memory forensics.Digital Investigation, 5, Supplement(0):S58 –S64, 2008. The Proceedings of the Eighth An-nual DFRWS Conference.
[18] M. Simon and J. Slay. Recovery of skype appli-cation activity data from physical memory. InARES, pages 283–288, 2010.
[19] J. Solomon, E. Huebner, D. Bem, andM. Sze?ynska. User data persistence in physi-cal memory. Digital Investigation, 4(2):68 – 72,2007.
[20] P. Sommer. Intrusion detection systems as ev-idence. Computer Networks, 31(23?24):2477 –2487, 1999.
[21] A. S. Tanenbaum. Modern Operating Systems.Prentice Hall Press, Upper Saddle River, NJ,USA, 3rd edition, 2007.
[22] V. L. Thing, K.-Y. Ng, and E.-C. Chang. Livememory forensics of mobile phones. Digital In-vestigation, 7, Supplement(0):S74 – S82, 2010.The Proceedings of the Tenth Annual DFRWSConference.
[23] N. C. Timothy Vidas, Chengye Zhang. Towarda general collection methodology for android de-vices. Digital Investigation, 8(Supplement):S14–S24, 2011.
[24] R. van Baar, W. Alink, and A. van Balle-gooij. Forensic memory analysis: Files mappedin memory. Digital Investigation, 5, Supple-ment(0):S52 – S57, 2008. ¡ce:title¿The Pro-ceedings of the Eighth Annual DFRWS Confer-ence¡/ce:title¿.
[25] A. Walters and N. L. Petroni. Volatools : Inte-grating volatile memory forensics into the digi-tal investigation process. Digital Investigation,pages 1–18, 2007.
ISBN: 978-0-9853483-7-3 ©2013 SDIWC 197
