1. Field of the Invention
The present invention relates to a device and method for extracting data stored in a volatile memory and, more particularly, to a memory-data extracting device and method for ensuring integrity of data extracted from a volatile memory installed in a computer.
2. Discussion of Related Art
In order to effectively take action against crimes using electronic equipment, digital forensic targets for evidence acquisition and analysis are gradually extending to computers, mobile phones, and personal digital assistants (PDAs). In particular, when the digital forensic target is a computer, useful evidence may be collected from a memory of a volatile storage medium as well as a hard disk of a non-volatile storage medium.
Methods for collecting data stored in a volatile memory include a first method for forcibly generating an error in order to use a crash dump file in which memory data is automatically stored by an operating system (OS) when a serious system error occurs, a second method for directly extracting memory data using an external hardware device capable of directly accessing a memory, and a third method using a memory dump program for extracting data stored in a memory using a memory interface provided by the OS.
In the method for forcibly generating an error, there is a trouble of the format of the crash dump file having to be converted for a specific purpose of a digital forensic process since the memory data is stored in the crash dump file on the basis of a unique OS format. In the method for extracting memory data using an external hardware device, there are drawbacks of high cost since memory imaging dedicated hardware is required and inapplicability to a computer that is incapable of supporting corresponding hardware. On the other hand, the method using a memory dump program is most widely used since it has the merits of enabling the format of an image file to be arbitrarily changed, if needed, and it does not require additional hardware.
In general, such a memory dump program operates as a user process executed in a user region of a memory. If the memory dump program runs simultaneously with other user processes, data stored in the memory may be changed in the course of data extraction when task switching occurs in operation of the memory dump program.
For example, if task switching occurs when the memory dump program extracts part of the memory data, another user process may alter data of a memory region that has not yet been extracted by the memory dump program. In this case, even though the memory dump program stores the remaining memory data after task switching, a temporal mismatch may occur on the stored memory data.
Accordingly, a conventional memory-data extracting device such as the memory dump program has a drawback in that the integrity of collected evidence, which is the most basic requirement of the digital forensic system, may not be ensured. In particular, when a user process newly runs or ends in the course of extracting the memory data, and content of a material structure of the OS is changed, evidence analysis is impossible since ranges of a process region, a thread region, and a memory region may not be identified.