As if time had stopped - checking memory dumps for quasi-instantaneous consistency

  • Memory dumps that are acquired while the system is running often contain inconsistencies like page smearing which hamper the analysis. One possibility to avoid inconsistencies is to pause the system during the acquisition and take an instantaneous memory dump. While this is possible for virtual machines, most systems cannot be frozen and thus the ideal dump can only be quasi-instantaneous, i.e., consistent despite the system running. In this article, we introduce a method allowing us to measure quasi-instantaneous consistency and show both, theoretically, and practically, that our method is valid but that in reality, dumps can be but usually are not quasi-instantaneously consistent. For the assessment, we run a pivot program enabling the evaluation of quasi-instantaneous consistency for its heap and allowing us to pinpoint where exactly inconsistencies occurred.

Download full text files

Export metadata

Statistics

Number of document requests

Additional Services

Share in Twitter Search Google Scholar
Metadaten
Author:Jenny Ottmann, Üsame Cengiz, Frank BreitingerORCiDGND, Felix Freiling
URN:urn:nbn:de:bvb:384-opus4-1177072
Frontdoor URLhttps://opus.bibliothek.uni-augsburg.de/opus4/117707
URL:https://dfrws.org/presentation/as-if-time-had-stopped-checking-memory-dumps-for-quasi-instantaneous-consistency/
Parent Title (English):Proceedings of the Digital Forensics Research Conference USA (DFRWS USA) 2023, July 09-12, 2023, Baltimore, MD, USA, hybrid
Publisher:DFRWS
Place of publication:Trumansburg, NY
Editor:Aaron Sparling, Parag Rughani
Type:Conference Proceeding
Language:English
Date of Publication (online):2024/12/18
Year of first Publication:2023
Publishing Institution:Universität Augsburg
Release Date:2024/12/18
First Page:1
Last Page:11
Institutes:Fakultät für Angewandte Informatik
Fakultät für Angewandte Informatik / Institut für Informatik
Fakultät für Angewandte Informatik / Institut für Informatik / Lehrstuhl für Cybersicherheit
Dewey Decimal Classification:0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 004 Datenverarbeitung; Informatik
Licence (German):Deutsches Urheberrecht

OPUS4 Logo