Hardware-Based Methods for Memory Acquisition
Analysis and Improvements
R. van Leenen (TU Delft - Electrical Engineering, Mathematics and Computer Science)
M Taouil – Mentor (TU Delft - Computer Engineering)
M.L.J. van Beusekom – Graduation committee member (TU Delft - Computer Engineering)
N. van Heijningen – Graduation committee member (Nederlands Forensisch Instituut (NFI))
S Hamdioui – Graduation committee member (TU Delft - Quantum & Computer Engineering)
René Leuken – Graduation committee member (TU Delft - Signal Processing Systems)
J. Rongen – Coach (Nederlands Forensisch Instituut (NFI))
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Some
server hosters facilitate cyber crime either intentionally (so called “bulletproof hosters”)
or unintentionally (“bad hosters”). When dealing with uncooperative hosters
during forensic investigations, it may sometimes be necessary to collect data or
information on the servers without help from the owner of the server. Data
within the RAM might prove insightful in, for example, determining active
processes or reveal crypto graphically interesting information like encryption
keys. The thesis explains key concepts within memory organization and the PCIe
standard.Afterwards, it discusses several techniques for RAM acquisition and
categorizes and evaluates them using a model-based approach. The thesis then
dives deeper into DMA-based memory acquisition using PCIe and proposes several
improvements to current DMA attacks in order to create a better memory
acquisition technique. A novel memory acquisition technique is created by
hot-plugging aPCIe device and skipping over the regular enumeration procedure.
This techniqueal lows the memory acquisition to be executed without a reboot and
provides a stealth approach to accessing the memory.