Abstract
Page smear is a phenomenon that occurs when a system’s volatile memory dump is obtained in a non-atomic manner; it’s more common in systems with a lot of RAM and different workloads. It has a considerable impact on the quality and reliability of the forensic artifacts obtained, as well as the analysis of such snapshots. We present SAM, a timeline-based page table state information collection mechanism that enables a reliable memory analysis. It facilitates visualizing inconsistencies in the page table data structure and provides the investigator with a reliable source of page table information to deal with the inconsistent values.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1 Later, PageDumper’s functionality was extended to work on x86_64-bit Linux with five level paging hierarchy.
2 PageDumper saves the time value for each page it acquires in milliseconds. For a more granular level of timestamp collection, it also allows to log the time values in terms of kernel jiffies. In , the column KERNEL_TIMER provide the acquisition time for the PTE by PageDumper in kernel jiffies.