Forenscope: A Framework for Live Forensics

Ellick Chan† Shivaram Venkataraman† Francis David∗

emchan@illinois.edu venkata4@illinois.edu francis.david@microsoft.com

Amey Chaugule† Roy Campbell†

achaugu2@illinois.edu rhc@illinois.edu

ABSTRACT sult in a phenomena known as forensic blurriness [26] where

Current post-mortem cyber-forensic techniques may cause an inconsistent snapshot is captured because the system is
significant disruption to the evidence gathering process by running while it is being observed. Forensic blurriness af-
breaking active network connections and unmounting en- fects the fidelity and quantity of evidence acquired and can
crypted disks. Although newer live forensic analysis tools cast doubt on the validity of the analysis, making the courts
can preserve active state, they may taint evidence by leav- more reluctant to accept such evidence [4].
ing footprints in memory. To help address these concerns we Experts at the SANS institute and DOJ are starting to
present Forenscope, a framework that allows an investigator recognize the importance of volatile memory as a source of
to examine the state of an active system without the effects evidence to help combat cybercrime [1, 3]. In response, the
of taint or forensic blurriness caused by analyzing a run- SANS institute recently published a report on volatile mem-
ning system. We show how Forenscope can fit into accepted ory analysis [7]. To help address the limitations of exist-
workflows to improve the evidence gathering process. ing volatile memory analysis tools we present Forenscope, a
Forenscope preserves the state of the running system and framework for live forensics, that can capture, analyze and
allows running processes, open files, encrypted filesystems explore the state of a computer without disrupting the sys-
and open network sockets to persist during the analysis pro- tem or tainting important evidence. Section 2 shows how
cess. Forenscope has been tested on live systems to show Forenscope can fit into accepted workflows to enhance the
that it does not operationally disrupt critical processes and evidence gathering process.
that it can perform an analysis in less than 15 seconds while Forenscope leverages DRAM memory remanence to pre-
using only 125 KB of memory. We show that Forenscope serve the running operating system across a ”state-preserving
can detect stealth rootkits, neutralize threats and expedite reboot”(Section 3) which recovers the existing OS without
the investigation process by finding evidence in memory. having to go through the full boot-up process. This pro-
cess enables Forenscope to gain complete control over the
Keywords: forensics, introspection, memory remanence
system and perform taint-free forensic analysis using well
grounded introspection techniques [22]. Finally, Forenscope
resumes the existing OS, preserving active network connec-
1. INTRODUCTION tions and disk encryption sessions causing minimal service
Current forensic tools are limited by their inability to pre- interruption in the process. Forenscope captures the con-
serve the hardware and software state of a system during in- tents of system memory to a removable USB device and
vestigation. Post-mortem analysis tools require the investi- activates a software write blocker to inhibit modifications
gator to shut down the machine to inspect the contents of the to the disk. To maintain fidelity, it operates exclusively in
disk and identify artifacts of interest. This process breaks 125 KB of unused legacy conventional memory and does not
network connections and unmounts encrypted disks causing taint the contents of extended memory. Since Forenscope
significant loss of potential evidence and possible disruption preserves the state of a running machine, it is suitable for
of critical systems. In contrast, live forensic tools can allow use in production and critical infrastructure environments.
an investigator to inspect the state of a running machine We have thoroughly tested and evaluated Forenscope on an
without disruption. However existing tools can overwrite SEL-1102, a power substation industrial computer, and an
evidence present in memory or alter the contents of the disk IBM desktop workstation. The machines were able to per-
causing forensic taint which lowers the integrity of the evi- form their duties under a variety of test conditions with
dence. Furthermore, taking a snapshot of the system can re- minimal interruption and running Forenscope did not cause
any network applications to time out or fail. Our current im-
plementation is based on Linux 2.6, although the technique
is also applicable to other major operating systems.
We have implemented several modules that can check for
the presence of malware, detect open network sockets and
locate evidence in memory such as rootkit modifications to
help the investigator identify suspicious activity.

†University of Illinois, ∗ Microsoft

 The contributions of this work include: maximize evidence preservation, RFC 3227 [8] outlines the
1. An extensible software framework for high-fidelity live order of volatility of these resources and dictates the order in
forensics conforming to the best practices of a legal frame- which evidence should be collected for investigation. Com-
work of evidence. mercial products currently used by forensic experts for inci-
2. Efficient techniques to gather, snapshot and explore a sys- dent response such as Encase, Helix, FTK Imager and Mem-
tem without bringing it down. oryze 1 etc, do not capture all forms of data. A comparison
3. Implementation and evaluation on several machines in- of these products is presented in Table 1. Scalpel and Sleuth
cluding a standard industrial machine and against several kit are solely designed for disk analysis while other tools such
anti forensics rootkits. as Encase, Helix and FTK include some level of memory cap-
ture and analysis capability. Memoryze is the only tool listed
This paper is organized as follows: Section 2 introduces in the table that performs volatile memory analysis. Some
cyber-forensics followed by Section 3 which describes the de- tools such as Helix, FTK and Memoryze can list the state of
sign of Forenscope. We evaluate the effectiveness of Foren- open network sockets, but the underlying network connec-
scope in Section 4. Section 5 discusses forensics issues, Sec- tions are not preserved during the analysis process. All live
tion 6 surveys related work and Section 7 concludes. forensic tools listed in this table rely on the integrity of the
running kernel. Compromised systems may provide inac-
curate information. Evidence preservation and minimizing
2. BACKGROUND forensic intrusiveness are hard problems that haven’t been
To provide an overview of the accepted legal framework adequately addressed in the literature.
of evidence collection currently in place, we summarize the In contrast, Forenscope was built to comply with steps
workflow from the CERT guide on FBI investigation [10]: 1 and 2 where it maximizes the preservation of evidence
and avoids disruption of ongoing activities to allow the cap-
1. Preserve the state of the computer by creating a backup
ture of high fidelity evidence. As a result, we believe that
copy of logs and files left by the intruder.
Forenscope may be more broadly applicable to various sce-
2. If the incident is in progress, log activity.
narios which require live forensics such as incident response
3. Document the losses suffered by your organization.
and criminal investigation. For incident response, we recog-
4. Contact law enforcement.
nize that the integrity of the machine may be violated by
While the steps executed are similar for various cases, there malware and our solutions have been designed to address
are special requirements for each case. For instance, in this scenario. For criminal investigation, we presume that
criminal investigation, integrity and fidelity of the data is the machine may have various security mechanisms imple-
paramount. As evidence presented in court must be as ac- mented such as encrypted disks coupled with authentication
curate as possible, special steps must be taken to ensure fi- mechanisms such as logon screens and screensaver locks.
delity. For incident response, the goal is to detect and react
to security breaches while minimizing the intrusiveness of 3. DESIGN
the process. In some critical systems it is impractical to in- Forenscope utilizes the principle of introspection to pro-
terrupt the system to perform forensic analysis of a potential vide a consistent analysis environment free of taint and blur-
breach and service level agreements (SLAs) may impose fi- riness which we term as the golden state. In this state, the
nancial penalties for downtime. The cases chosen above are system is essentially quiescent and queries can be made to
example of evidentiary requirements but a more thorough analyze the system. As a result, analysis modules can access
analysis is beyond the scope of this paper. To preserve the fi- in-memory data structures introspectively. The investigator
delity of the original evidence, many forensic workflows cap- activates forenscope by forcing a reset where the state of the
ture a pristine image of the evidence and draw conclusions machine is preserved by memory remanence in the DRAM
based on analysis of the copy. Conventional post-mortem chips. Then, the investigator boots off the Forenscope me-
forensic workflows perform this task by physically shutting dia which performs forensic analysis on the latent state of
down a computer and copying the contents of the hard drive the system and restores the functionality of the system for
for subsequent analysis. On the other hand, live forensics further live analysis. Forenscope is designed to work around
are often desired for step 2 because they provide access to security mechanisms by interposing a lightweight analysis
networked resources such as active SSH and VPN sessions, platform beneath the operating system. For example, in in-
remote desktop connections, IM clients and file transfers. cident response, the machine may be controlled by malicious
However even state-of-the-art solutions often cannot image software and the operating system cannot be trusted. The
a system with high fidelity and frequently introduce taint in observation capabilities afforded by Forenscope offer addi-
the process. In summary, existing tools require the investi- tional visibility in these scenarios.
gator to make a tradeoff between increased fidelity through
post mortem analysis or the potential to collect important 3.1 Taint and Blurriness
volatile information using live forensic tools at the cost of Taint and blurriness are concepts related to the use of
tainting evidence. forensic tools. Taint is a measurement of change in the
One of the key issues in collecting volatile information is system induced by the use of a forensic tool and it may
that various forms of data such as CPU registers, memory, be present both in memory and on disk. In this section,
disk and network connections have different lifetimes. To we only consider the in-memory portion because BitBlocker
1
Encase: www.encase.com, (Section 3.6) eliminates disk taint by blocking writes. Blurri-
Helix: www.e-fense.com, ness refers to the inconsistency of a memory snapshot taken
FTK Imager: www.accessdata.com, while a system is running.
Memoryze: www.mandiant.com/software/memoryze.htm
 Table 1: Comparison of Forenscope with existing forensic tools

Evidence Registers Memory Network Processes Disk Encryption

RFC 3227 Reqs Nanosecs Seconds Minutes Minutes Hours Hours
Encase × Xa × × X ×
Helix × Xa Xb X X ×
FTK × Xa X X X X
Scalpel × × × × X ×
Memoryze × Xa Xb X × ×
Sleuth kit × × × × X ×
Forenscope X X X X X X
a
Subject to forensic blurriness
b
Connection is recorded but not persisted
Table 2: Definitions save power, these chips are designed to retain their values
Quantity Description as long as possible, especially in mobile devices such as lap-
tops and cell phones. Contrary to common belief, the act of
Snapshot St Contents of memory at time t rebooting or shutting down a computer often does not com-
Natural drift δv Change in the system state over time v
pletely clear the contents of memory. Link and May [21]
Snapshot Sˆv Contents of captured memory snapshot
with v being the time taken to capture
were the first to show that current memory technology ex-
the snapshot hibited remanence properties back in 1979. More recently,
Taint f f is defined as the memory taint caused Gutmann [18] elaborated on the properties of DRAM mem-
by the forensic introspection agent ory remanence. Halderman et al. [19] recently showed that
these chips can retain their contents for tens of seconds at
To quantify the relationship between taint and blurriness, room temperature and the contents can persist for several
let St be the contents of memory at any given instant of minutes when the RAM chips are cooled to slow the natu-
time t. The state of a system changes over a period of time ral rate of bit decay. Forenscope utilizes memory remanence
due to the natural course of running processes and we define properties to preserve the full system state to allow recovery
this as the natural drift of the system, δ. When a traditional to a point where introspection can be performed. We refer
live forensic tool attempts to take a snapshot of the system, the reader to [11,19] for a more detailed analysis of memory
there is a difference between what is captured, Sˆv and the remanence.
true snapshot St , where v represents the time taken to cap-
ture the snapshot. There are two reasons for this difference: 3.3 Activation
the first being δv the natural drift over the time period when Forenscope currently supports two methods of activation.
the snapshot was being acquired (v) and the second due to The first is based on a watchdog timer reset and the second is
the footprint f of the forensic tool. We define the former through a forced reboot. For incident response, a watchdog
as the blurriness of the snapshot and the latter quantity to timer may be used to activate Forenscope periodically to au-
be the taint caused by the forensic tool. Table 2 captures dit the machine’s state and check for the presence of stealth
these definitions in a concise form. In general, there are malware. Watchdog timers are used in embedded systems to
two ways to obtain a snapshot of the machine’s state: ac- detect erroneous conditions such as machine lockups. These
tive techniques and passive techniques. Active techniques timers contain a count down clock which must be refreshed
involve the use of an agent on the machine which may leave periodically. If the system crashes, the watchdog software
a footprint. Passive techniques operate outside the domain will fail to refresh the clock. Once the clock counts down to
of the machine and do not affect its operation, one such zero, the watchdog timer will issue a warm hardware reset
example is VM introspection. When a passive acquisition signal to the machine causing it to reboot in the hopes that
tool is used, the relationship Sˆv = St + δv indicates that the the operating system will recover from the erroneous condi-
approximate snapshot differs from the true snapshot due to tion upon a fresh start. On our test machine, the built-in
the blurriness δv . In contrast, when an active forensic tool watchdog timer is programmable via a serial port interface
is used, Sˆv = St + f + δv , where f represents taint and and the contents of DRAM memory are not cleared after a
δv represents blurriness. Collectively, these quantities are reboot initiated by the watchdog timer reset signal.
a measure of the error in the snapshot acquisition process. On the other hand, a forensic investigator may encounter
Taint can result from the direct action of forensic tools or in- a machine that is locked by a screensaver or login screen and
direct effects induced in the system through the use of these in this situation, Forenscope can be activated by forcing a
tools. We call the former first-order taint, f ′ , and the lat- reboot. Some operating systems such as Linux and Win-
ter second-order taint, f ′′ . First-order taint can result from dows can be configured to reboot or produce a crash dump
loading a forensic tool into memory and second-order taint by pressing a hotkey. These key sequences are often used for
can result from processes such as file buffering due to the
effects of a forensic tool writing a file.

3.2 Memory Remanence

Modern memory chips are composed of capacitors which
store binary values using charge states. Over time, these ca-
pacitors leak charge and must be refreshed periodically. To Figure 1: Forenscope vs normal boot paths
debugging and are enabled by default in many Linux distri- cilities for handling errant conditions on buggy hardware.
butions. In Linux, the alt-sysrq-b hotkey sequence forces an These devices typically have a timeout recovery function
immediate reboot. If these debug keys are disabled, then a which can revive the hardware device in the event that it
reset may be forced by activating the hardware reset switch. stops responding. We have found that calling these recov-
Forenscope supports multiple modes of operation for versa- ery functions is usually sufficient to recover most hardware
tility. After the machine has been rebooted forcefully, the devices. In Linux, 86 out of the 121 (71%) PCI network
Forenscope kernel is selected from the boot loader menu in- drivers implement this interface and all IDE device drivers
stead of the incumbent operating system. support a complete device reset. For instance, the IBM uses
an Intel Pro/100 card and the SEL-1102 uses a built-in AMD
PCnet/32 chip. On both these machines Forenscope relies
3.4 Forenscope framework on calling the tx_timeout function to revive the network.
Instead of booting afresh, Forenscope alters the boot con- We use a two-stage process to restore the operating sys-
trol flow to perform its analysis. Figure 1 illustrates this tem environment. The first stage reconstructs the processor
process. After the machine restarts, it boots off a CD or state where the values of registers are extracted and altered
USB stick with the Forenscope media. The machine then to roll back the effects of the restart and the second stage
enters the golden state monitor mode which suspends execu- runs forensic analysis modules. Our algorithm scans the ac-
tion and provides a clean external view of the machine state. tive kernel stack and symbol information from the kernel for
To explain how the monitor works, we first describe the op- call chain information. Forenscope uses this information to
erating states of the x86 architecture. When a traditional reconstruct the processor’s state. In the alt-sysrq-b case,
PC boots, the processor starts in real mode and executes the interrupt handler calls the keyboard handler which in
the BIOS. The BIOS then loads the bootloader which in turn invokes the emergency sysrq-handler. The processor’s
turn loads the operating system. During the boot sequence, register state is saved on the stack and restored by using
the operating system first enables protected mode to ac- state recovery algorithms from [11, 13]. If the alt-sysrq-b
cess memory above the 1 MB mark and then sets up page hotkey is disabled, Forenscope supports an alternate method
tables to enable virtual memory to bootstrap the OS. Foren- of activation based on pressing a physical reset switch. In
scope interposes on this boot sequence and first establishes this case, Forenscope assumes that the system is under light
a bootstrap environment residing in the lower 640 KB rung load and that the processor spends most of its time in the
of legacy conventional memory and then it reconstructs the kernel’s idle loop. In this loop, most kernels repeatedly call
state of the running machine. Forenscope has full control the x86 HLT instruction to put the processor to sleep. Since
of the machine and its view is untainted by any configura- the register values at this point are predictable, Forenscope
tion settings from the incumbent operating system because restores the instruction pointer, EIP, to point to the idle
it uses a trustworthy private set of page tables; thus rootkits loop itself and other registers accordingly. Once the state
and malware which have infected the machine cannot inter- has been reconstructed, Forenscope reloads the processor
fere with operations in this state. Next, Forenscope obtains with this information and enables virtual memory.
forensically-accurate memory dumps of the system and runs
various kinds of analyses. For integrity, Forenscope does not 3.6 Modules
rely on any services from the underlying operating system. We have developed a number of modules to aid in forensic
Instead, it makes direct calls to the system’s BIOS to read analysis. These modules, shown in Figure 2, run in groups
and write to the disk. Therefore, Forenscope is resistant to where stage 1 modules run in the golden state to collect pris-
malware that impedes the correct operation of hardware de- tine information while stage 2 modules rely on OS services
vices. The initial forensic analysis modules are executed in to provide a shell and block disk writes. Finally, stage 3
this state and then Forenscope restores the operation of the resumes the original operating environment.
incumbent operating system. Scribe: Scribe collects basic investigation information such
as the time, date, list of PCI devices, processor serial num-
3.5 Reviving the Operating system ber and other hardware features. These details are stored
To revive the incumbent operating system, Forenscope as evidence to identify the source of a snapshot.
needs to restore the hardware and software state of the sys- Cloner: Cloner is a memory dump forensic tool that is able
tem to “undo” the effects of the reboot. Hardware devices are to capture a high-fidelity image of volatile memory contents
reset by the BIOS as part of the boot process. Some of these to an external capture device. Existing techniques for creat-
devices must be reconfigured before the incumbent operat- ing physical memory dumps are limited by their reliance on
ing system is restored because they were used by Forenscope system resources which are vulnerable to deception. Cloner
or the BIOS during initialization. To do so, Forenscope first works around forensic blurriness issues and rootkit cloaking
re-initializes core devices such as the hard drive and inter- by running in stage 1 before control is returned to the origi-
rupt controller and then assumes full control of these devices nal host OS. In the golden state, the system uses protected
for operation in its clean environment. Before resuming the mode to access memory directly through Forenscope’s safe
operating system, Forenscope scans the PCI bus and gathers memory space. Using this technique, Cloner accesses mem-
a list of hardware devices. Each hardware device is matched ory directly without relying on services from the incumbent
against an internal database and if an entry is found, Foren- operating system or its page tables. To dump the contents of
scope calls its own reinitialization function for the particu- memory, Cloner writes to disk directly using BIOS services
lar hardware device. If no reinitialization function is found, instead of using an OS disk driver. This channel avoids a po-
Forenscope looks up the device class and calls the operat- tentially booby-trapped or corrupted operating system disk
ing system’s generic recovery function for that device class. driver and ensures that the written data has better forensic
Many devices such as network cards and disk drives have fa- integrity. Most BIOS firmware supports read/write access
 Table 3: Correctness assessment
Application Results
Idle system System is correctly recovered over 100 times.
SSH SSH recovers, protocol handles lost packets.
PPTP VPN VPN recovers, queued messages are delivered.
Figure 2: Forenscope modules AES pipe File encryption continues.
Netcat File transfers correctly without checksum errors.
DM-crypt Mounted filesystem remains accessible.

of a crash. Neutralizer selects processes to kill based on the

analysis mode. For incident response on server machines, a
white list approach is used to terminate processes that do
not belong to the set of core services. This policy prevents
running unauthorized applications that may cause harm to
the system. For investigation, Neutralizer takes a black list
approach and kills off known malicious processes.
ForenShell: ForenShell is a special superuser bash shell
that allows interactive exploration of a system by using stan-
dard tools. When coupled with BitBlocker(below), Foren-
Figure 3: File system architecture Shell provides a safe environment to perform customized live
to USB flash drives and hard disks. Another reason to use analyses. In this mode, Forenshell becomes non-persistent
the BIOS for dumping is that it minimizes the memory foot- and it does not taint the contents of storage devices. Once
print of Forenscope and reduces dependencies on drivers for ForenShell is started, traditional tools such as Tripwire or
various USB and SATA chipsets. Once cloner captures a Encase may be run directly for further analysis. To provide
clean memory dump, the investigator can run other mod- an audit log of the investigator’s activities, ForenShell pro-
ules tools that may alter the contents of memory without vides a built-in keylogger that writes directly to the evidence
worry of tainting the evidence. collection medium without tainting the disk. Forenscope
Informant: Informant checks for suspicious signs in the launches the superuser shell on a virtual console by directly
system that may indicate tampering by identifying the pres- spawning it from a privileged kernel thread. ForenShell runs
ence of alterations caused by malware. In order to extract as the last analysis module after Informant and Neutralizer
clean copies of the program code and static structures such have been executed. At this point, the system has already
as the system call table, Forenscope must have access to a been scanned for malware and anti-forensic software. If Neu-
copy of the vmlinux kernel file which is scanned to locate tralizer is unable to clean an infection, it displays a message
global kernel variables and the location of various functions. informing the investigator that the output of ForenShell may
Most Linux distributions provide this information. Read- be unreliable due to possible system corruption.
only program code and data structures are checked against BitBlocker: BitBlocker is a configurable software-based
this information to ensure that they have not been altered or write blocker that inhibits writing to a given set of storage
misconfigured. Such alterations have the potential to hinder devices to avoid tainting the contents of persistent media.
the investigation process and Informant helps to assess the Since actions performed by ForenShell during exploration
integrity of a machine before further analysis is attempted. can inadvertently leave undesired tracks, BitBlocker helps
After Informant verifies the system, it also records other use- to provide a safe non-persistent analysis environment that
ful information such as the contents of the kernel dmesg log, emulates disk writes without physically altering the contents
running processes, open files and open network sockets. This of the media. Because BitBlocker modifies the contents of
information can help expedite the investigation process. memory, it executes after Cloner has captured a clean copy
Neutralizer: Neutralizer inoculates against anti-forensic of memory.
software by detecting and repairing alterations in binary Simply re-mounting a disk in read-only mode to prevent
code and key system data structures such as the system writing may cause some applications to fail because they
call table. These structures can be repaired by restoring may need to create temporary files and expect open files to
them with clean copies extracted from the original sources. remain writable. Typically, when an application creates or
Since many rootkits rely on alteration techniques, Neutral- writes files, the changes are not immediately flushed to disk
izer can recover from the effects of common forms of cor- and they are held in the disk’s buffer cache until the system
ruption. Presently, Neutralizer is unable to recover from can flush the changes. The buffer cache manages interme-
corruption or alteration of dynamic data structures. Neu- diate disk operations and services subsequent read requests
tralizer also suppresses certain security services such as the with pending writes from the disk buffer when possible. Bit-
screensaver, keyboard lock and potential malware or anti- Blocker mimics the expected file semantics of the original
forensic tools by terminating them. To terminate processes, system by reconfiguring the kernel’s disk buffer cache layer
neutralizer sends a SIGKILL signal instead of a SIGTERM sig- to hold all writes instead of flushing them to disk. This
nal so that there is no opportunity to ignore the signal. Cus- approach works on any type of file system because it oper-
tomized signals can be sent to each target process. For some ates directly on the disk buffer which is one layer below the
system services that respawn, terminating them is ineffec- file system. BitBlocker’s design is similar to that of some
tive, so forcefully changing the process state to zombie (Z) Linux-based RAM disk systems [5] which cleverly use the
or uninterruptible disk sleep (D) is desired instead of killing disk buffer as a storage system by configuring the storage
the application directly. An alternative would be to send the device with a null backing store instead of using a physical
SIGSEGV signal to certain applications to mimic the effects disk. Each time a disk write is issued, barring a sync opera-
 160000 Curl-10-sec-control Curl-10-sec-Forenscope
Curl-5-sec-control Curl-5-sec-Forenscope
160000 Cached-Normal 140000
Dirty-Normal
Free-Normal 120000
140000
Cached-BitBlocker
Dirty-BitBlocker 100000
120000

Bytes/sec
Free-BitBlocker 80000

100000 60000
Bytes

80000 40000

20000
60000
0
0 30 60 90 120 150
40000 Time (in seconds)

20000
Figure 5: HTTP data transfer rate comparison
0
0 50 100 150 200 250 300
Time (in seconds) testing using DM-crypt and AES pipe showed that security
Figure 4: BitBlocker memory usage programs continue to operate properly. A more thorough
evaluation of the correctness can be found in [11]. To evalu-
tion, the operating system’s disk buffer subsystem holds the
ate the correctness of BitBlocker, we ran it on the IBM and
request in the buffer until a certain write threshold or time-
on a QEMU system emulator. Using the emulator allowed
out is reached. In Linux, a system daemon called pdflush
us to verify integrity by checksumming the contents of the
handles flushing buffered writes to disk. To prevent flush-
virtual disk. Our test cases include using the dd utility to fill
ing to the disk, BitBlocker reconfigures the write threshold
up the disk, then issuing a sync command and unmounting
of the disk to inhibit buffer flushing, disables pdflush and
the disk. Other cases tested include copying large files and
hooks the sync, sync file range, fsync, bdflush and umount
compiling programs consisting of hundreds of files. In each
system calls with a write monitor wrapper. Figure 3 shows
case, BitBlocker worked correctly and no writes were issued
the architectural diagram of the Linux filesystem layer and
to the physical disk. After the test completed, we confirmed
where BitBlocker intercepts disk write operations. Although
that the contents of the disk were unchanged by comparing
BitBlocker inserts hooks into the operating system, it does
hashes of the contents against the original contents.
not interfere with the operations of Informant and Neutral-
Performance: In terms of performance, BitBlocker made
izer because those modules are run before BitBlocker and
disk operations appear to be faster because no data is flushed
they operate on a clean copy of memory. The hooks and
to the physical disk from the disk buffer. A write of a 128
techniques used by BitBlocker are common to Linux 2.6.x
MB file took 32.78 s without BitBlocker and 3.71 s with
kernels and they are robust to changes in the kernel version.
BitBlocker. The number of dirty disk buffers consumed in-
Similar techniques are possible for other operating systems.
creases proportionately with the size of the files written.
Since BitBlocker inhibits flushing to disk, running out of file
4. RESULTS AND EVALUATION buffers can create a condition where the filesystem fills up
We evaluate Forenscope as a forensic tool by measuring and reports a write error. To measure these effects on the
five characteristics: correctness, performance, downtime, fi- system, we collected buffer cache usage information once a
delity and effectiveness against malware. second in several key applications: creating a compressed
Hardware and Software Setup: To demonstrate func- archive with tar-bzip2, downloading a file using wget and
tionality, we tested and evaluated the performance of Foren- compiling the software package busybox. Figure 4 shows
scope on two machines: a Schweitzer 1102 industrial com- the utilization of dirty file buffers over time for the tar-gzip
puter and an IBM Intellistation M Pro. The SEL-1102 used case. Wget and busybox compilation have similar results. In
in our experiments is a rugged computer designed for power the graphs, we report statistics from /proc/meminfo such as
system substation use and it is equipped with 512 MB of cached, dirty and free. According to the documentation
DRAM and a 4 GB compact flash card mounted in the first for /proc, cached in Linux represents the amount of data in
drive slot as the system disk. The SEL-1102 can operate in the page cache which includes cached data from read-only
temperatures ranging from -40 to +75 degrees Celsius. The files as well as write buffers. Dirty represents items that
IBM Intellistation M Pro is a standard desktop workstation need to be committed to the disk and free represents free
equipped with 1 GB of DRAM. For some tests, we opted memory. From our observations, dirty is generally very
to use a QEMU-based virtual machine system to precisely low in the normal case because the kernel commits write
measure timing and taint. Forenscope and the modules that buffers periodically. However, in BitBlocker, dirty grows
we developed were tested on the Linux 2.6 kernel. Although steadily because the data cannot be committed back to the
Forenscope was originally built to target Linux, we plan to disk. To estimate the amount of memory required to run
expand this work to other systems. BitBlocker, our experiments show that in many scenarios,
Correctness: To show that Forenscope is robust, we even 128 MB of free memory is sufficient for BitBlocker to
tested it against a collection of applications listed in Ta- operate. Our experiments show that BitBlocker is robust
ble 3. In each case, after rebooting the machine forcefully, even when the system runs low in memory. At 200 seconds,
Forenscope recovered the operating state, took control and the physical memory of the machine fills up and the tar-bz2
ran successfully without breaking the semantics of the appli- process stops because the disk is ”full.” The system does not
cation. As a basic sanity test, Forenscope was able to revive crash and other apps continue to run as long as they do not
an idle system with no load. We chose a mix of applications write to the disk. On a typical system with 2 GB of memory,
to show that a wide range of hardware, software and net- BitBlocker should be able to maintain disk writeability for
work applications are compatible. Running SSH, PPTP and a much longer period of time.
Netcat showed that network connections persist. Further
 Table 4: Taint measurement (pages) the internal 2-second periodic timer used by thttpd to adjust
Description (32,768) Conventional Extended the rate limiting throttle table.
Memory Memory Taint and Blurriness: We evaluated the taint in a snap-
Forenscope 41 (0.125%) 0(0%) shot saved by Forenscope using a snapshot captured by dd
dd 0 (0%) 7100 (21.66%) as the baseline. In an experimental setup running with 128
dd to FS mounted with 0 (0%) 7027 (21.44%) MB of memory, we collected an accurate snapshot St of the
sync flag physical memory using QEMU and compared that with a
dd with O DIRECT 0 (0%) 480 (1.46%) snapshot Sˆv obtained from each forensic tool. The number
of altered pages for each of the configurations is presented
Downtime: As discussed earlier, one important metric for
in Table 4. We observe that since Forenscope is loaded in
evaluating a forensic tool is the amount of downtime in-
conventional memory, the only pages which differ are found
curred during use. To show that Forenscope minimally dis-
in the lower 640 KB of memory. Our experiments show that
rupts the operation of critical systems, we measured the
Forenscope is far better than dd because we observed no dif-
amount of time required to activate the system. Foren-
ference in the extended memory between the snapshot taken
scope, without Cloner, executed in 15.1 s using the reboot
by Forenscope and the baseline snapshot. It should be noted
method on the SEL-1102 and in 9.8 s on the IBM Intellista-
that as the machine is suspended in the golden state when
tion while the watchdog method took 15.2 s to execute on
running Forenscope, there is no blurriness associated with
the SEL-1102. The majority of the downtime is due to the
the snapshot taken by Forenscope. For dd, we measured
BIOS bootup sequence and this downtime can be reduced on
the taint when using a file system mounted with and with-
some machines. Many network protocols and systems can
out the sync option. The number of pages affected remains
handle this brief interruption gracefully without causing sig-
almost the same in both cases and we observed that the
nificant problems. We tested this functionality by verifying
majority of second-order taint was due to the operating sys-
that VPN, SSH and web browser sessions continue to work
tem filling the page-cache buffer while writing the snapshot.
without timing out despite the interruption. Many of these
To evaluate how much taint was induced due to buffering,
protocols have a timeout tolerance that is sufficiently long to
we ran experiments in which dd was configured to write di-
avoid disconnections while Forenscope is operating and TCP
rectly to disk, skipping any page-cache buffers by using the
is designed to retransmit lost packets during this short inter-
O_DIRECT flag. The results show that the taint was much
ruption. To measure the disruption to network applications
lower than the earlier experiment, but still greater than the
caused by running Forenscope continuously over a period
taint caused by using Forenscope. In order to estimate the
of time, we ran a test within a virtualized environment to
amount of blurriness caused when tools like dd are used, we
mimic the brief reboot cycle used by the analysis process.
measured the natural drift over time of some typical config-
The test measures the instantaneous speed of an HTTP file
urations. We collected and compared memory dumps from
transfer between a server and a client machine. While the file
Ubuntu 8.04 and Windows Vista with 512 MB of memory in
transfer is in session, we periodically interrupt the transfer
a virtual machine environment hosted in QEMU. In each case,
by forcibly restarting the machine and subsequently reviving
we snapshot the physical memory of the virtual machine and
it using Forenscope. Each time the system is interrupted,
calculate the number of pages that differ from the initial im-
the server process is suspended while the machine reboots.
age over a period of time. The snapshots were sampled using
The process is then resumed once Forenscope is done run-
a tilted time frame to capture the steady state behavior of
ning. As a baseline, we created a control experiment where
the system in an attempt to measure δv . The samples were
the server process is periodically suspended and resumed by
taken at 10 second intervals for the first five minutes and
a shell script acting as a governor to limit the rate at which
at 1 minute intervals for the next two hours. From Figure
the server operates. This script sends the SIGSTOP signal to
6, we observe that the drift remains nearly constant after a
suspend the server process, waits a few seconds to emulate
short period of time for our experimental setup and for the
the time required for the bootup process and then sends a
idle Ubuntu and Vista systems, the drift stabilizes within a
SIGCONT signal to resume operation. In each experiment, a
few minutes. The drift for a system running Mozilla Firefox
curl client fetches a 1 MB file from a thttpd server at a
was found to be nearly constant within 10 minutes. Running
rate of 10 KB/s. We chose these parameters to illustrate
tar and gzip for compressing a large folder or dd to dump
how a streaming application or low-bandwidth application
the contents of memory into a file resulted in most of the
such as a logger may behave. During this download process,
memory being changed within a minute due to second-order
the server was rebooted once every 20 seconds and we mea-
taint. To summarize, our tests demonstrated that there is
sured the instantaneous bandwidth with a bootup delay of
no taint introduced in the extended memory by using Foren-
5 and 10 seconds to observe the effects of various bootup
scope and that Forenscope can be used for forensic analysis
times. We observed that the bandwidth drops to zero while
where taint needs to be minimized.
the system boots and the download resumes promptly after
Effectiveness against anti-forensics tools: Although
the reboot. No TCP connections were broken during the ex-
forensics techniques can collect significant amounts of in-
periment and the checksum of the downloaded file matched
formation, investigators must be careful to ensure the ve-
that of the original file on the server. A graph of the in-
racity and fidelity of the evidence collected because anti-
stantaneous bandwidth vs time is plotted in Figure 5. We
forensic techniques can hide or intentionally obfuscate in-
compared the results of our test against the control experi-
formation gathered. In particular, rootkits can be used
ment and observed that the behavior was very similar. Thus
by hackers to hide the presence of malicious software such
we believe that running Forenscope can be considered as safe
as bots running in the system. Malware tools such as the
as suspending and resuming the process. During the exper-
FU rootkit [16] directly manipulate kernel objects and cor-
iment we noticed that the bandwidth spiked immediately
rupt process lists in ways that many tools cannot detect.
after the machine recovered and attribute this behavior to
 Table 5: Sizes of Forenscope and modules
Adore: Adore 8 is a classic rootkit which hijacks kernel point-
Component Lines of Code Compiled Size ers to deceive tools such as ps and netstat. It works by over-
(bytes) writing pointers in the /proc filesystem to redirect control
Forenscope (C) 1690 15,420 flow to its own functions rather than modifying the syscall
Forenscope (Assembly) 171 327 table directly. Informant detects that the pointers used by
Forenscope (Hardware) 280 1,441 Adore do not belong to the original read-only program code
Neutralizer & Forenshell 34 8,573 segment of the kernel and Neutralizer restores the correct
Other Modules 861 22,457 pointers. Restoration of the original pointers is simple and
Total 3,036 48,218 safe because the overwritten VFS function operations tables
80 point to static functions such as proc readdir, while Adore
has custom handlers located in untrusted writable kernel
70 module address space.
60 Mood-NT: Mood-NT is a versatile multi-mode rootkit that
% of changed pages

can hook the system call table, use debug registers and mod-
50 firefox ify kernel pointers. Because of its versatility, the attacker
ubuntu-idle
40 vista-idle can customize it for different purposes. Like the rootkits de-
dd scribed previously, Forenscope detects Mood-NT in various
30 tar-gzip modes. Our experiments indicate that Mood-NT hooks 44
20 system calls and Forenscope detects all of these alterations.
Furthermore, each hook points out of the kernel’s read-only
10
program code address space and into the untrusted memory
0 area occupied by the rootkit.
0 200 400 600 800 1000 Size: Forenscope is written in a mixture of C and x86 as-
Time (in seconds) sembly code. Table 5 shows that Forenscope is a very small
Figure 6: Comparison of Memory Blurriness program. It consumes less than 48 KB in code and 125 KB
in running memory footprint. The lines of code reported
Malware researchers have also demonstrated techniques to
in the table are from the output of the sloccount [29] pro-
evade traditional memory analysis through the use of low-
gram. We break down the size of each component into core C
level rootkits [28] which cloak themselves by deceiving OS-
and assembly code, hardware-specific restoration code and
based memory acquisition channels on Linux and Windows.
module code. To minimize its size, Forenscope reuses ex-
Hardware [12] and software [20] virtualization-based rootkits
isting kernel code to reinitialize the disk and network; the
may be tricky to detect or remove by the legitimate oper-
size of this kernel code is device-specific and therefore ex-
ating system or application software because they operate
cluded from the table, since these components are not part
one layer below standard anti-malware facilities. We de-
of Forenscope. The small compiled size of Forenscope and
scribe and evaluate how Forenscope reacts to several pub-
its modules implies that a minimal amount of host memory
licly available rootkits. The set of rootkits was chosen to
is overwritten when Forenscope is loaded onto the system.
cover a gamut of representative threats, but the list is not
Furthermore, the diminutive size of the code base makes it
meant to be exhaustive due to space constraints.
more suitable for auditing and verification.
DR: The DR rootkit uses processor-level hardware de-
bug facilities to intercept system calls rather than modifying
the actual system call table itself. DR reprograms a hard- 5. DISCUSSION
ware breakpoint which is reached every time a system call While evaluating Forenscope, we observed different be-
is made [15]. The breakpoint then intercepts the call and havior of rootkits on virtual machines and physical hard-
runs its own handler before passing control to the legitimate ware. Our observations confirm the results of Garfinkel et
system call handler. Since Forenscope does not restore the al [17] that virtual machines cannot emulate intricate hard-
state of debug registers, DR is effectively neutralized across ware nuances faithfully and as a result some malware fails to
the reboot, and as a result, hidden processes are revealed. activate on a virtual machine. For example, malware such
Informant detects DR in several ways: DR is present in the as the Storm worm and Conficker [30] intentionally avoid
module list, DR symbols are exported to the kernel and DR activation when they sense the presence of virtualization to
debug strings are present in memory. If an attacker modifies thwart the analysis process. Hence analyzing a system for
DR to make it more stealthy by removing these indicators, rootkits using a virtual machine may not only cause some
we contend that it is still hard to deceive Forenscope, since rootkits to slip under the radar but also alert them to de-
the debug registers are cleared as part of the reboot pro- tection attempts. Since Forenscope continues to run the
cess. Although Forenscope doesn’t restore the contents of system without exposing any of the issues raised by running
the debug registers faithfully, this doesn’t pose a problem virtualization systems, we argue that the system is unlikely
for most normal applications because only debuggers typi- to tip off an attacker to the presence of forensic software.
cally use this functionality. Legally, the jury is still out on the use of live forensic tools
Phalanx B6: Phalanx hijacks the system call table by di- because of the issues of taint and blurriness. While some
rectly writing to memory via the /dev/mem memory device. recent cases [2] suggest that courts are starting to recognize
It works by scanning the internal symbol table of the kernel the value of the contents of volatile memory, the validity
and redirecting control flow to its own internal functions. of the evidence is still being contested. A recent manual
Informant detects Phalanx while checking the system call on collecting evidence in criminal investigations released by
table and common kernel pointers. Neutralizer restores the
8
correct pointers to inoculate Phalanx. http://stealth.openwall.net
 Table 6: Effectiveness against rootkit threats

Rootkit Description Sanitization action

DR Uses debug registers to hook system calls Rebooting clears debug registers
Phalanx b6 Uses /dev/kmem to hook syscalls Restore clean syscall table
Mood-NT Multi-module RK using /dev/kmem/ Clear debug regs, restore pointers
Adore Kernel module hooks /proc VFS layer Restore original VFS pointers

the Department of Justice [6], instructs that no limitations to be completely transparent. For instance, malware might
should be placed on the forensic techniques that may be used detect the presence of Forenscope by checking BitBlocker
to search and also states that use of forensic software, no write latencies or scanning conventional memory.
matter how “sophisticated,” does not affect constitutional
requirements. Although we do not make strict claims of le- 6. RELATED WORK
gal validity in the courts, we are encouraged by the above
guidelines to collect as much volatile information as possi- Forenscope uses many technologies to achieve a high fi-
ble. We objectively compare our tool against the state of delity forensic analysis environment through introspection,
the art and find that it does collect more forms of evidence data structure analysis and integrity checking. Many of
with better fidelity than existing tools. the introspective techniques used by Forenscope were in-
Countermeasures: Although Forenscope provides deep spired by similar functionality in debuggers and simulators.
forensic analysis of a system in a wide variety of scenar- VMware’s VMsafe protects guest virtual machines from mal-
ios, there are countermeasures that attackers and criminals ware by using introspection. A virtual machine infrastruc-
can use to counter the use of Forenscope. From an incident ture running VMsafe has a security monitor which period-
response perspective, we assume that the machine is con- ically checks key structures in the guest operating system
trolled by the owner and that the attacker does not have for alteration or corruption. Projects such as Xenaccess [22]
physical access to it. This means that only software-based take the idea further and provide a way to list running pro-
anti-forensic techniques are feasible, although some of these cesses, open files and other items of interest from a running
techniques may involve changing hardware settings through virtual machine in a Xen environment. Although Xenaccess
software. Most of the hardware and software state involved and Forenscope provide similar features, Xenaccess depends
in these anti-forensic techniques are cleared upon reboot or on the Xen VMM, but the investigator cannot rely on its
rendered harmless in Forenscope’s clean environment. In in- presence or integrity. On some older critical infrastructure
vestigation, the adversary may elect to use a BIOS password, machines, legacy software requirements make it impractical
employ a secure bootloader, disable booting from external to change the software configuration. Forenscope does not
devices or change BIOS settings to clear memory at boot have such requirements. Forenscope’s techniques to recover
time. These mitigation techniques may work, but if the operating system state from structures such as the process
investigator is sophisticated enough, he can try techniques list have been explored in the context of analyzing mem-
suggested by Halderman et al [19] to cool the memory chips ory dumps using data structure organization derived from
and relocate them to another machine which is configured reverse-engineered sources [14,27]. Attestation shows that a
to preserve the contents of DRAM at boot time. One other machine is running with an approved software and hardware
avenue for working around a password-protected BIOS is to configuration by performing an integrity check. Forenscope
engage the bootloader itself. We found that some bootload- builds upon work from the VM introspection community to
ers such as GRUB allow booting to external devices even allow forensic analysis of machines that are not prepared a
if the functionality is disabled in the BIOS. The only mit- priori for such introspection. It provides a transparent anal-
igation against this channel is use password protection on ysis platform that does not alter the host environment and
GRUB itself, which we believe is not frequently used. Forenscope supports services such as BitBlocker that allow
Limitations: The only safe harbor for malware to evade an investigator to explore a machine without inducing taint.
Forenscope is in conventional memory itself because the act The techniques used by Forenscope for recovering run-
of rebooting pollutes the contents of the lower 640 KB of ning systems are well grounded in the systems community
memory considerably thus potentially erasing evidence. How- and have been studied previously in different scenarios. The
ever, we contend that although this technique is possible, it original Intel 286 design allowed entry into protected mode
is highly unlikely for three reasons: first, for such malware from real mode, but omitted a mechanism to switch back.
to persist and alter the control flow, the kernel must map in Microsoft and IBM used an elegant hack involving memory
this memory area in the virtual address space. This requires remanence to force re-entry into real mode by causing a re-
a change in the system page tables which is easily detectable boot to service BIOS calls. This technique was described by
by Forenscope since most modern operating systems do not Bill Gates as ”turning the car off and on again at 60 mph”
map the conventional memory space into their virtual mem- [24]. Some telecommunications operating systems such as
ory space. Secondly, such malware would have to inject a Chorus [25] are designed for quick recovery after a watch-
payload into conventional memory and if the payload is cor- dog reset and simply recover existing data from the running
rupted by the reboot process, the system will crash. Finally, operating system rather than starting afresh. David [13]
such malware won’t survive computer hibernation because showed that it is possible to recover from resets triggered by
conventional memory is not saved in the process. Even if the watchdog timer on cell phones. BootJacker [11] showed
Forenscope is unable to restore the system due to extenu- that it is possible for attackers to recover and compromise a
ating circumstances, we still have an intact memory dump running operating system by using a carefully crafted forced
and disk image to analyze. Although Forenscope has been reboot. Forenscope applies these techniques in the context
designed with investigation in mind, we have not designed it of forensic analysis and our work presents the merits and
limitations of using such techniques to build a forensic tool.
 Devices such as the Trusted Platform Module and Intel integrity checking. In CCS ’09: Proceedings of the 16th
trusted execution technology (TXT) provide boot time and ACM conference on Computer and communications
run-time attestation respectively. Although TPM may be security, pages 555–565, New York, NY, USA, 2009. ACM.
available for some machines, the protection afforded by a [10] C. C. Center. How the FBI Investigates Computer Crime.
http://www.cert.org/tech_tips/FBI_investigates_
TPM may not be adequate for machines which are meant crime.html, 2004.
to run continuously for months. These machines perform an [11] E. Chan, J. Carlyle, F. David, R. Farivar, and
integrity check when they boot up, but their lengthy uptime R. Campbell. BootJacker: Compromising Computers using
results in a long time of check to time of use (TOCTTOU) Forced Restarts. In Proceedings of the 15th ACM
that extends the duration for breaches to remain undetected. conference on Computer and Communications Security,
Hardware solutions such as Copilot [23] are available to pages 555–564. ACM New York, NY, USA, 2008.
check system integrity. In contrast, Forenscope performs [12] D. Dai Zovi. Hardware Virtualization Rootkits. BlackHat
Briefings USA, August, 2006.
an integrity assessment at the time of use; which allows the
[13] F. M. David, J. C. Carlyle, and R. H. Campbell. Exploring
investigator to collect evidence with better fidelity. Recovery from Operating System Lockups. In USENIX
Annual Technical Conference, Santa Clara, CA, June 2007.
7. CONCLUDING REMARKS [14] B. Dolan-Gavitt. The VAD tree: A Process-eye View of
Physical Memory. Digital Investigation, 4:62–64, 2007.
Forenscope explores live forensic techniques and the is- [15] Edge, Jake. DR rootkit released under the GPL.
sues of evidence preservation, non-intrusiveness and fidelity http://lwn.net/Articles/297775/.
that concern such approaches. Measured against existing [16] Fuzen Op. The FU rootkit.
tools, our experiments show that Forenscope can achieve http://www.rootkit.com/project.php?id=12.
better compliance within the guidelines prescribed by the [17] T. Garfinkel, K. Adams, A. Warfield, and J. Franklin.
community. Forenscope shows that volatile state can be Compatibility is not transparency: VMM detection myths
preserved and the techniques embodied in Forenscope are and realities. In Proceedings of the 11th Workshop on Hot
Topics in Operating Systems (HotOS-XI), May 2007.
broadly applicable. We encourage further development of
[18] P. Gutmann. Secure Deletion of Data from Magnetic and
tools based on our high-fidelity analysis framework and be- Solid-State Memory. In Proceedings of the 6th USENIX
lieve that it can enable the advancement of analysis tools Security Symposium, pages 77–90, July 1996.
such as KOP [9]. Extensive evaluation of our techniques has [19] J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson,
shown that they are safe, practical and effective by mini- W. Paul, and J. A. Calandrino. Lest We Remember: Cold
mally tainting the system, while causing no disruption to Boot Attacks on Encryption Keys. In Proc of the 17th
critical systems. We believe that these techniques can be USENIX Security Symposium, San Jose, CA, July 2008.
used in cases where traditional tools are unable to meet the [20] S. T. King, P. M. Chen, Y.-M. Wang, C. Verbowski, H. J.
Wang, and J. R. Lorch. SubVirt: Implementing malware
needs of modern investigations. To continue the develop- with virtual machines. In Proceedings of the IEEE
ment of this tool, we plan to work closely with partners to Symposium on Security and Privacy, pages 314–327,
better evaluate use of this tool in real-world scenarios such Washington, DC, USA, 2006. IEEE Computer Society.
as incident response in a variety of contexts. [21] W. Link and H. May. Eigenshaften von
Acknowledgements We would like to thank the anony- MOS-Ein-Transistorspeicherzellen bei tieften
mous reviewers, Winston Wan, Mirko Montanari and Kevin Temperaturen. In Archiv fur Elektronik und
Larson for their valuable feedback. This research was sup- Ubertragungstechnik, pages 33–229–235, June 1979.
[22] B. Payne, M. de Carbone, and W. Lee. Secure and flexible
ported by grants from DOE DE-OE0000097 under TCIPG
monitoring of virtual machines. In Proceedings of 23rd
(tcip.iti.illinois.edu) and a Siebel Fellowship. The opinions Annual Computer Security Applications Conference, pages
expressed in this paper are those of the authors alone. 385–397, 2007.
[23] N. Petroni, T. Fraser, J. Molina, and W. Arbaugh.
Copilot-A Coprocessor-based Kernel Runtime Integrity
8. REFERENCES Monitor. In Proceedings of the 13th USENIX Security
[1] SANS Top 7 New IR/Forensic Trends In 2008.
Symposium, pages 179–194, 2004.
http://computer-forensics.sans.org/community/top7_
forensic_trends.php. [24] J. Pournelle. OS | 2: What is is, What is isn’t – and some
of the Alternatives. Infoworld, 1988.
[2] Columbia Pictures Indus. v. Bunnell, U.S. Dist. LEXIS
46364. C.D. Cal. http://www.eff.org/cases/ [25] M. Rozier, V. Abrossimov, F. Armand, I. Boule, M. Gien,
columbia-pictures-industries-v-bunnell, 2007. M. Guillemont, F. Herrmann, C. Kaiser, S. Langlois,
P. Lonard, and W. Neuhauser. Overview of the CHORUS
[3] Prosecuting Computer Crimes, pages 141–142. US
Distributed Operating Systems. Computing Systems,
Department of Justice, 2007.
1:39–69, 1991.
[4] Electronic Crime Scene Investigation: A Guide for First
[26] A. Savoldi and P. Gubian. Blurriness in Live Forensics: An
Responders. pages 25–27, 2008.
Introduction. In Proceedings of Advances in Information
[5] Ramdisks - Now We are Talking Hyperspace!
Security and Its Application: Third International
http://www.linux-mag.com/cache/7388/1.html, 2009.
Conference, Seoul, Korea, page 119. Springer, 2009.
[6] Searching and Seizing Computers and Obtaining Electronic
[27] A. Schuster. Searching for Processes and Threads in
Evidence in Criminal Investigations, pages 79,89. Microsoft Windows Memory Dumps. The Proceedings of
Computer Crime and Intellectual Property Section
the 6th Annual Digital Forensics Research Workshop, 2006.
Criminal Division, 2009.
[28] S. Sparks and J. Butler. Raising The Bar for Windows
[7] K. Amari. Techniques and Tools for Recovering and
Rootkit Detection. Phrack, 11(63), 2005.
Analyzing Data from Volatile Memory, 2009.
[29] D. A. Wheeler. SLOCCount.
[8] D. Brezinski and T. Killalea. Guidelines for Evidence
http://www.dwheeler.com/sloccount.
Collection and Archiving. RFC 3227 (Best Current
[30] B. Zdrnja. More tricks from Conficker and VM detection.
Practice), Feb. 2002.
http://isc.sans.org/diary.html?storyid=5842, 2009.
[9] M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and
X. Jiang. Mapping kernel objects to enable systematic