Memory Grabber' Forensics Tool (SRA Int'l)

8/7/2019 'Memory Grabber' Forensics Tool (SRA Int'l)

http://slidepdf.com/reader/full/memory-grabber-forensics-tool-sra-intl 1/7

Memory Grabber Computer Forensic Volatile Memory Acquisition and Analysis System

White Paper6 May 2010

Prepared By:

Jim CostabileSystems Research and Applications Corporation8830 Stanford Blvd., Suite 205Columbia, MD [email protected]

SRA authorizes the distribution of this document to registered customers only.No other distribution is authorized without the consent of SRA

SRA PROPRIETARY



SRA PROPRIETARY

Use or disclosure of data contained on this sheet is subject to the restriction on the ti tle page of this document.

Memory Grabber SRA PROPRIETARY 2 of 7

Table of Contents

1 INTRODUCTION 3

1.1 P URPOSE 3

2 OPERATIONAL NEED 3

2.1 P ROBLEM DESCRIPTION 3

3 OUR SOLUTION 4

3.1 SOLUTION O VER VIEW 4 3.2 SYSTEM DETAILS 5 3.3 SYSTEM SPECIFICATION 6

4 SUMMARY 7

Table of Exhibits

Figure 1: Memory Grabber Device................................................................................................. 3Figure 2: Memory Grabber Operational Context............................................................................ 4Figure 3: System Architecture ........................................................................................................ 5

Table 1: Memory Grabber Specifications...................................................................................... 6



SRA PROPRIETARY



1 0BINTRODUCTION

1.14B

PurposeThe purpose of this paper is to describe the SRA Memory Grabber system, which providesmemory access to a running and password protected laptop through the use of a small PC Cardinserted into the PCMCIA slot of the laptop. The Memory Grabber device shown in the figurebelow is operating system agnostic; working on Microsoft Windows, Linux, and MacOS and isavailable today as a production unit for use with Express Card and Card Bus laptop systems.

Figure 1: Memory Grabber Device

2 1BOPERATIONAL NEED

2.1 5BProblem DescriptionCurrently, when law enforcement agents or Special Operations personnel seize a running laptopthat is password protected, they have no way of capturing the potential valuable informationresident in memory. Typically, they will power down the laptop and take it back to lab toperform forensic analysis on the hard drive losing all information associated with the currentstate of the machine (e.g. partially constructed documents or emails, web history, or any otherinformation that gets permanently deleted upon power down). Law enforcement agents andSpecial Operations personnel need a tool that provides memory access to a running laptop in thefield enabling the timely capture of volatile information.





SRA PROPRIETARY



A forensic application running on a controlling computer provides memory forensic analysis, aswell as device control and configuration, communications management and data transfercapabilities. The forensic application is constructed in a modular fashion, allowing the use of other COTS or custom tools such as hex editors, or data analysis systems.

3.2 7BSystem Details

The Memory Grabber system is a volatile memory forensic analysis tool that provides memoryaccess to a laptop in a power-on state and possibly password protected via the external PCMCIAinterface. The system consists of a specialized hardware device (Memory Grabber device) thatprovides a bridge between the target laptop and a controlling computer, and a forensicapplication running on the controlling computer that provides analysis of the captured memoryas well as device control and configuration, communications management and data transfercapabilities. The system hardware and software architectures are depicted in the followingdiagram:

`

Controlling Computer

PC CardInterface

(Card Bus,PCI Express)

FPGA

USB

Target Laptop

SUT SW PCI Interface USB Interface

Test / Debug

Data Transfer

CommandProcessing

Device Driver

OS

Application

User InterfaceUser Interface

DataManagement

SystemControl

CommsManagement

User

Results Commands

Commands

Results

Memory Grabber Device

Embedded Software

Data

Hardware Architecture

Software Architecture

SDCard

Micro SD cardInterface

Figure 3: System Architecture



SRA PROPRIETARY



The specialized hardware platform is an FPGA based embedded system that provides thecapability to implement the target laptop interface (ExpressCard or CardBus) as well as thecontrolling computer interface (USB, micro SD card). The FPGA also provides the capability toprocess information and bit streams and can be configured for unique operational scenarios very

quickly due to the reprogrammable nature of FPGAs. The hardware platform has been designedin a modular fashion providing the capability to easily modify for other customer requiredinterfaces.

The embedded software / firmware running on the device implements the external interfaces tothe target computer and controlling computer, as well as provides the ability to performprocessing on the captured data (e.g. data compression, or encryption). The embedded softwarealso provides the ability to handle vendor-specific implementations of the external interfaces(e.g. Card Bus and Express Card) internally without the need for user interaction. This enablesthe system to be compatible across a wider range of laptops. As a part of our rigorouscompatibility testing, we have verified the operation of the Memory Grabber device on a widevariety of laptops from different manufacturers running various operating systems including 32bit and 64 bit versions of Windows, Linux and MacOS.

The forensic application running on the controlling computer provides basic memory accessfunctionality and memory capture, as well as basic device command and control. The forensicapplication is written in JAVA to allow portability across multiple-platforms as required.Currently, it is running on Windows based controlling computers. The modular nature of ourapplication design facilitates the ability to leverage COTS or custom analytic tools such as hexeditors, display tools and debuggers.

3.3 8BSystem SpecificationTable 1: Memory Grabber Specifications

Parameter Express Card Card BusTarget Laptop OS Windows

LinuxMac OS(32 bit and 64 bit versions)

WindowsLinuxMac OS(32 bit and 64 bit versions)

Operational Mode Tethered (USB)Un-Tethered (micro SD card)

Tethered (USB)

Data Integrity Available Yes YesData Acquisition Speed (nominal) 8 Mbytes per sec 2 Mbytes per sec



SRA PROPRIETARY



4 3BSUMMARYThe Memory Grabber system provides access to critical information resident in volatile memoryeven if the laptop is screen locked and password protected. The system can also be used toprovide dynamic analysis of running systems allowing engineers to analyze and view activememory while a system is running. One example of this would be the analysis of malware tounderstand the program’s memory footprint and how it affects the host system.

The Memory Grabber system is commercially available today, and has a defined roadmap toinclude new features and system extensions. The system has been designed in a modularfashion allowing easy customization and refinement based on the customer’s unique operationalneeds. For more information, to schedule a demonstration or to discuss unique requirementsand customization options, please contact us using the contact information on the title page of this document.

Documents

Memory Grabber' Forensics Tool (SRA Int'l)