Dementia bluffs live memory analysis

Powered by SC Magazine
 

Forensics fooled.

View larger image View larger image View larger image

See all pictures here »

A security researcher has released a tool that hides a computer's memory to defeat live digital forensics efforts.

Dementia is a proof of concept tool for hiding various OS artifacts from the memory or crash dumps acquired by the memory acquisition software.

Creator Luka Milković told SC ahead of the Chaos Communication Congress last month the method used was an extension of existing research into disk anti-forensics. 

 

"It's intention is to raise awareness for (or to remind) the forensic professionals that memory forensics, any other live forensic process and forensic applications have potential pitfalls and problems." 
It could hide operating system objects like processes and threads from a host of forensic analysis applications including Volatility and Memoryze.

The Infigo security consultant said two fundamental problems with acquisition tools are that they are usually run on machines not controlled by the handler, meaning attackers can have a kernel-level visibility and control over the system. A further complication was that tools must dump their data either on a local or external disk, or on a networked machine.

"Although these issues are well known, many incident handlers and forensic experts are still using those methods because the alternatives are rare, difficult to use in practice or expensive," Milković said.

By combining these two issues and controlling the process of dump writing, attackers can defeat most live memory acquisition methods used by forensics experts and incident handlers.

Previous recent research into memory anti-forensic techniques and methods made it difficult to impossible to hide operating system objects like network connections and processes.

The research included methods that completely blocked the acquisition process and were therefore easy to detect, thwarted the acquisition and analysis processes by tricking the memory manager and modifying the kernel structures.

Copyright © SC Magazine, Australia


 
 
 
Top Stories
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
The CISO’s dilemma: Do you trust your partner’s partner?
[Blog post] How far down the chain do you check?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 318

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  57%
 
No
  43%
TOTAL VOTES: 121

Vote