Hardware-Based Methods for Memory Acquisition
Analysis and Improvements
More Info
expand_more
Abstract
Some
server hosters facilitate cyber crime either intentionally (so called “bulletproof hosters”)
or unintentionally (“bad hosters”). When dealing with uncooperative hosters
during forensic investigations, it may sometimes be necessary to collect data or
information on the servers without help from the owner of the server. Data
within the RAM might prove insightful in, for example, determining active
processes or reveal crypto graphically interesting information like encryption
keys. The thesis explains key concepts within memory organization and the PCIe
standard.Afterwards, it discusses several techniques for RAM acquisition and
categorizes and evaluates them using a model-based approach. The thesis then
dives deeper into DMA-based memory acquisition using PCIe and proposes several
improvements to current DMA attacks in order to create a better memory
acquisition technique. A novel memory acquisition technique is created by
hot-plugging aPCIe device and skipping over the regular enumeration procedure.
This techniqueal lows the memory acquisition to be executed without a reboot and
provides a stealth approach to accessing the memory.