As more businesses and government entities increasingly rely on computer networks to conduct their operations and store relevant data, security of these networks has become increasingly important. The need for increased security is emphasized when these networks are connected to non-secure networks such as the Internet. The preservation of important data and the ability to retrieve the data in the aftermath of a security breach has become the focus of Information Technology (IT) practitioners, particularly in the area of Incident Response (IR).
When a security breach occurs Incident Response Teams (IRTs) often respond, analyzing available information to determine the scope and risk associated with the breach. In order to accomplish this task they must collection information from IT assets, such as detection systems, firewalls, and computer systems. They must also collect data directly from potentially compromised assets to identify the methods employed by an attacker to accomplish the breach.
When attackers compromise an asset such as a computer system, they may install malicious software designed to damage a system, evade detection, or perform surveillance. In all cases these malicious programs (“malware”) alter the normal state of the compromised system, making collection of accurate information about the system (which is something necessary for performing meaningful IR) very difficult for response personnel. Malware can alter the state of a computer system to make it appear a compromise has not occurred. Only through detailed inspection of multiple aspects of a running system can a responder hope to effectively identify and confirm a compromise.
In order to account for malware on a compromised system and collect accurate information that may aid in responding to an incident, forensic techniques may be employed to derive system information through direct examination of the contents of a computer system's memory. By employing software that analyzes the information, structures, and anomalies present in system memory, the ability of an attacker to camouflage its activities is greatly reduced. These approaches are collectively referred to as memory forensics. These techniques differ from traditional computer forensics in that the focus is in discerning the live state of a computer system through review of memory rather than looking at the “dead” state of a system through examination of the contents of storage media, such as hard drives.
The field of memory forensics is relatively new in the digital forensics arena, especially when compared to techniques in practice for the analysis of storage media. As such, many problems remain unsolved and new methods for memory analysis are being developed constantly. Existing methods face numerous challenges, such as the rapid change of modern operating systems, the variety of operating systems present in the marketplace today, and the fact that most information associated with live system state for a computer system is not a common topic of information sharing, particularly for proprietary operating system vendors. As such, the practice of memory forensics is relegated to a highly specialized cadre of computer and security researchers with advanced degrees and many years of experience in the field. A strong need exists in the industry to provide capabilities that utilize memory forensic techniques in such a way as to make their benefits accessible to IT professionals in various enterprise and organizational environments. In particular, a need exists to be able to accurately identify various elements within a computer system, including characteristics such as operating system type and version, memory management configuration, and virtual machine state of the computer system.