Memory Acquisition and Forensics

Question 1

Memory Forensics - In-System Acquisition:

Answer 1

Software based acquisition methods of volatile information including RAM and other system state may rely on processes in the target of observation or full on emulation may be an exception, but this is an extremely specialised case and not realistic as it requires resources several orders of magnitude larger than of the target system

Question 2

Memory Forensics - External Acquisition:

Answer 2

Hardware-based acquisition methods can be designed in a way that the target is not altered

Question 3

In-System (Live) Acquisition Limits:

Answer 3

Any in-system acquisition will alter the state of the system it intended to be acquired

Question 4

Although it may be possible to gain an approximate understanding of the effects of this observation, there are several fundamental limits:

Answer 4

• The exact system state that would exist without the intervention of the acquisition system cannot be known a priori
• The presence of counter-forensic components may prevent accurate acquisition, even when using tamper-resistant components

Question 5

For in-system acquisition some of he key problems arise from the fact that it is not possible to freeze the target system completely:

Answer 5

• Acquiring a memory snapshot takes time, even if one were to stop all concurrent processing units bar one and not all system state can be captured reliably
• As a result, software-based snapshots are normally not completely atomic, i.e. not all causality may be correctly represented in a memory image

Question 6

Why do we need a write blocker:

Answer 6

The write blocker is a software or hardware component that prevents the computer from changing any data on the suspects hard drive