In recent years, malicious acts such as unauthorized intrusion into an information processing apparatus, information leakage, and destruction of electronic data, caused by a malicious program (hereinafter referred to as “malware”) such as a virus, have occurred in information processing apparatuses such as a computer.
Various events (hereinafter, referred to as “cyber incidents” or “incidents”) caused by such malicious acts may occur in an information processing apparatus and the like. As a technique of investigating a cause of such an event being occurred, for example, there is known techniques for analyzing data remaining in a non-volatile storage device (such as a hard disk) constituting an information processing apparatus, a communication record, and the like. Hereinafter, various types of investigations of cyber incidents may be referred to as “digital forensics” or “forensics.”
Among investigation techniques related to digital forensics, there is known limitations about the aforementioned investigation technique of analyzing remaining data in a non-volatile storage device and a communication record, as following.
First, it takes time to analyze record data remaining in the non-volatile storage device, and a communication record. That causes a problem in quick response to an incident. More specifically, for example, when analyzing a log and a communication record in an information processing apparatus, acquisition and analysis of a vast amount of complex log data are required. Since it takes time to collect and analyze log data, it may be difficult to respond quickly when an incident occurs.
Further, in recent years, malware itself and various types of related data may be recorded in the non-volatile storage device in an encrypted form. When recorded data remaining in the non-volatile storage device are encrypted, it is often very difficult to decrypt the data, and analysis may become practically difficult.
Similarly, for example, when malware performs various types of communication processing by using an advanced cryptographic method such as public-key cryptography, it is difficult to decrypt collected communication data.
Further, malware itself may be configured to be active only in a volatile memory in an information processing apparatus, and configured not to be stored in the non-volatile storage device. In this case, it is impossible to detect the malware by analyzing remaining data in the non-volatile storage device. Additionally, since a timing and a period of an activity of the malware is unknown, sufficient information may not be obtained even by analyzing record data at a specific timing in the non-volatile storage device.
Further, when integrity of data remaining in the non-volatile storage device is impaired due to falsification, deletion, or the like by malware, useful data as an analysis target may not remain.
Accordingly, a forensics technique of acquiring various types of information while a system composed of an information processing apparatus and the like is in an operating state, and performing various types of investigation and analysis of the collected information, is recently used. Such an investigation technique is hereinafter referred to as a “live forensics” technique in the present application. In such a live forensics technique, for example, data stored in a volatile storage device (such as a memory) in an information processing apparatus in operation are included in an investigation target.
By use of such a live forensics technique, for example, a moment at which malware is active (or, almost simultaneously, status in which malware is active) in an information processing apparatus may be captured. Further, since data stored in the volatile storage device can be acquired, an encryption key loaded on memory may be acquired. In this case, various types of cryptographic communication and encrypted data may be decrypted. Additionally, there is possibility for analyzing malware being not related to input and output with respect to a non-volatile storage device (that is, not leaving a trace in a non-volatile storage device).
The following patent literatures are disclosed, with regard to technologies used in the forensics technique or the live forensics technique as described above.
PTL 1 discloses a technology of detecting unauthorized intrusion into a computer network. The technology disclosed in PTL 1 induces an attacker into a virtual decoy host provided in a decoy network device, and generates attack identification information by recording a behavior of the attacker in the host. The technology disclosed in PTL 1 saves the generated attack identification information as forensic data, and generates an attack signature applied to an intrusion prevention system, in accordance with the forensic data.
PTL 2 and PTL 3 below disclose technologies of acquiring various types of data stored in a volatile main memory in an information processing apparatus. These technologies are not directly related to the aforementioned live forensics technique.
PTL 2 discloses a technology for debugging a computer program, and for reproducing a memory state at any time point in equipment in which the program is executed. The technology disclosed in PTL 2 acquires all data transmitted and received through a bus connecting a processor and a memory device in the debug target equipment, and stores bus access information arranging the acquired data on a time-series basis. The technology disclosed in PTL 2 reproduces a memory state of the debug target equipment at a specific time point, by acquiring a memory state at a timing when failure has occurred, and successively and retroactively applying data stored in the bus access information to the memory state.
PTL 3 discloses a technology of converting a physical address of data transmitted and received through a bus connecting a processor and a memory, into a logical address and presenting the converted logical address, in accordance with all data transmitted and received through the bus, and address conversion information included in the processor.
PTL 4 and PTL 5 below discloses a forensics technique relating to analyzing remaining data in a non-volatile storage device, and a communication record.
PTL 4 discloses a technology of assigning a hash key and time information to every communication packet acquired at a predetermined connecting point in a communication network, and saving the packet data. When a failure occurs, the saved packet data are analyzed.
PTL 5 discloses a technology of specifying a terminal in which an anomaly activity having been occurred, by analyzing communication data transmitted and received in a communication network. A cause of the anomaly activity is analyzed by preserving evidence of a record of a hard disk in the specified terminal.