SAM: A Mechanism to Facilitate Smear-Aware Forensic Analysis of Volatile System Memory

Abstract

Page smear is a phenomenon that occurs when a system’s volatile memory dump is obtained in a non-atomic manner; it’s more common in systems with a lot of RAM and different workloads. It has a considerable impact on the quality and reliability of the forensic artifacts obtained, as well as the analysis of such snapshots. We present SAM, a timeline-based page table state information collection mechanism that enables a reliable memory analysis. It facilitates visualizing inconsistencies in the page table data structure and provides the investigator with a reliable source of page table information to deal with the inconsistent values.

Keywords:

• Memory forensics
• page smear
• timeline-based analysis
• PageDumper
• LiME

Disclosure statement

No potential conflict of interest was reported by the author(s).

Notes

1 Later, PageDumper’s functionality was extended to work on x86_64-bit Linux with five level paging hierarchy.

2 PageDumper saves the time value for each page it acquires in milliseconds. For a more granular level of timestamp collection, it also allows to log the time values in terms of kernel jiffies. In Figure 6, the column KERNEL_TIMER provide the acquisition time for the PTE by PageDumper in kernel jiffies.