Chapter 3 - Memory Forensics: Analyzing Physical and Process Memory Dumps for Malware Artifacts

Abstract

This chapter demonstrates the types of information that can be obtained from memory dumps and page files from Windows and Linux systems using a variety of tools, and describes key memory structures and how to interpret them. The process of examining memory is similar to that of handling digital evidence on storage media and other sources. As with any source of digital evidence, one major challenge is to separate the malicious code and associated data from the large amount of legitimate, benign data. As memory forensics evolves, better tools and techniques are emerging to help digital investigators perform data reduction process. The ability to organize the data in a memory dump and search for specific information is critically important for memory forensics. Existing tools for examining memory dumps support a limited degree of parsing and searching functionality. In addition to acquiring a full memory image of a subject Linux system, it is also valuable for the investigator to gather the contents of process memory associated with suspicious processes, as it greatly decreases the amount of data that needs to be parsed.