Professional Documents
Culture Documents
a r t i c l e i n f o a b s t r a c t
Article history: Cyber forensics use memory acquisition in advanced forensics and malware analysis. We propose a
Received 10 July 2020 hypervisor based memory acquisition tool. Our implementation extends the volatility memory forensics
Received in revised form framework by reducing the processor's consumption, solves the in-coherency problem in the memory
6 December 2020
snapshots and mitigates the pressure of the acquisition on the network and the disk. We provide
Accepted 28 December 2020
Available online 23 March 2021
benchmarks and evaluation.
© 2021 Elsevier Ltd. All rights reserved.
Keywords:
Real time
ARM
Hypervisor
Virtualization
Linux
1. Introduction (Langner, 2011) and Sony BMG (Mulligan and Perzanowski, 2007)
rootkit. Stuxnet's purpose was to attack Iran's nuclear enrichment
A rootkit is a malware that hides itself along with the malicious program. Countries and elite intelligence agencies developed
payload that it carries (Blunden, 2012). Rootkit research is a cat and Stuxnet for espionage and sabotage purposes. Sony BMG rootkit
mouse game in all computing platforms. Researchers develop was designed to install and hide DRM software on end-user ma-
better forensics to detect rootkits while others develop state of-the- chines (Hoglund and Butler, 2006; Davis et al., 2009). These two
art rootkits. Our research improves the way LiME acquires memory examples demonstrate the rootkits that are no longer “hacker
images. We enhanced LiME's (Sylve, 2012) memory acquisition tool tools”, but rather tools employed by countries and top industrial
for Volatility (Farmer and Venema, 2009) memory forensics soft- companies for national and business purposes.
ware. Our system takes a precise, atomic memory image of an Despite having completely different authors and purposes, both
online system without stopping the online system. Furthermore, it software contained a similar concept of masking its existence by
is less suspect to acquisition errors as memory acquisition is done hiding the malware files and the running processes. Live memory
outside the operating system. Therefore the acquisition process is acquisition is a tool used by forensics researchers to reverse engi-
not vulnerable to stealth malware hiding. neer the malware. Forensics researchers attempt to identify the
We describe our design and implementation of an online authors, their goals, and any weakness in the malware itself.
memory forensics system. We also perform a performance analysis Volatility (Farmer and Venema, 2009; Case and Richard, 2017) is an
of memory acquisition performance figures on the online system. open source (GPLv2) framework for analysing memory (Aljaedi
et al., 2011). It is a forensics toolkit used to analyze memory
snapshots. Thus Volatility is often used to detect such hidden
2. Background malware (Oktavianto and Muhardianto, 2013).
* Corresponding author.
E-mail address: raziebe@gmail.com (R.B. Yehuda).
https://doi.org/10.1016/j.fsidi.2020.301106
2666-2817/© 2021 Elsevier Ltd. All rights reserved.
R.B. Yehuda, E. Shlingbaum, Y. Gershfeld et al. Forensic Science International: Digital Investigation 37 (2021) 301106
2.2. Forensics and volatility called microvisors. Henceforth, We use the term memory acquisi-
tion microvisor to describe our solution.
Volatility is state of the art RAM snapshot analysis software. It is
available for Windows, Linux, Mac, and Android, 32bit and partially 3. Contribution
64bit. Volatility is based on Python (Sanneret al., 1999), which
makes development in Volatility easy for most analysts. Also, Py- 3.1. High level design
thon is available on many operating systems, including Android
phones. Volatility availability on Android allows for local memory We use Volatility (Rotvold et al., 2007) and LiME to analyse the
capture and analysis, saving the need to transmit gigabytes of a memory to detect an irregular state. Our contribution focuses on
RAM snapshot over the network. Volatility API is extensible, and reducing CPU consumption and heat when using LiME. Our mem-
forensics researchers can add plugins easily. Volatility's developers ory acquisition microvisor also provides consistent memory im-
use a reverse engineering approach to understand the acquired ages. Also, we ported parts of Volatility to support 64bit ARM Linux
memory. Thus, Volatility provides capabilities and information that kernels.
are not usually possible through standard tools. For example,
examining undocumented data structures in windows OS. Vola-
3.2. Volatility
tility supports various formats: crash dumps, hibernation files,
VMware's vmem, VMware's saved state and suspended files (.vmss/
Volatility currently supports ARMv7 systems. One key difference
.vmsn), Virtual Box core dumps, LiME (Linux Memory Extractor),
between ARMv7 and ARMv8 regarding memory acquisition is that
expert witness (EWF), and direct physical memory over Firewire.
ARMv8 usually runs 64bit kernels while ARMv7 runs 32bit. We
Volatility is considered fast compared to other forensics tools. It
ported Volatility to ARM64 bit kernels and contributed our modi-
analyses the entire memory image file in a few seconds.
fications to the Volatility community. This approach is important
because most phones and Android devices today use ARMv8-a
2.3. LiME
processors and a 64bit Linux kernel.
LiME (Linux Memory Extractor) is a Linux kernel module that
performs acquisition of volatile memory on Linux distributions and 3.3. Microvised LiME
Linux kernel-based devices (Dave et al., 2014), such as Android.
Since LiME is a Linux kernel module, it does not require any user Our contribution concentrates on LiME. LiME creates a reflection
space tools to perform memory captures. Therefore, LiME memory of the computer's RAM by accessing each physical page and writing
captures are considered sounder than other memory acquisition it to the disk or the network (Algorithm 1). LiME scans the RAM
tools. Also, since LiME is a pure kernel module, it is easy to use it in sequentially and allocates an auxiliary page for each page, and
Android devices and embedded Linux devices in general. copies the page's contents to it. The auxiliary page is transmitted
(or written to disk) and then released.
2.4. ARM permission model
processes table after LiME already transmitted it. Therefore, start- LiME transmits, we recorded the first 500 page faults positions
ing and stopping the browser creates memory in-coherency. while LiME works. Table 1 presents the distance (in pages) between
Memory in-coherence is a result of processes that exist in mem- two consequent page faults. The total number of pages is 242000.
ory but not on the process table, pages that belong to a process that We performed the test above while the system was idle. We
does not exist in the table, etc. measured for each page fault the distance between the memory
Andrew et al. (Case and Richard, 2017) describe other in- addresses of two consecutive page faults.
coherency reasons, such as multiples cores, the increasing The pages position distribution is vast. Therefore, we expected
amount of RAM and the kernel heuristics, and point the increasing to find inconsistencies in the memory image snapshot.
amount of RAM as the reason for page smearing (page smearing is Thus, this paper offers a technique to solve the inconsistency.
type of memory in-coherence. page smearing occur when a page We wrap the GPOS (General Purpose Operating System, such as
content is changed while it is acquired). In this paper context, (Case Linux or Android) by a minimal virtual machine (VM), and during
and Richard, 2017) mention two techniques to deal with page the acquisition, we record and copy the faulting page content
smearing: before it is transmitted. In virtual machines, when a guest accesses
a page, the Memory Management Unit (MMU) traps it to a sec-
Leveraging virtual machine hardware extensions. Use various ondary page table managed by the hosting machine. This mecha-
virtualization techniques, such as blue pill (a hypervisor that nism is referred to as a stage 2 fault. In ARM, the second (stage 2)
traps an instance of a guest OS without being detected) memory table is called the Intermediate Physical Addresses (IPA)
(Rutkowska, 2006; Algawi et al., 2019), to acquire the memory. (Penneman et al., 2013a).
Smear-aware acquisition tools. Provide the acquisition tool
awareness to changes in page tables.
Table 1
Our technology utilizes virtualization to acquire memory, but Page faults distribution measured in page offsets.
without freezing the operating system (hibernation). Avg Min Max Std dev
To emphasise versatility of the RAM (and page smearing) while 426 236990 236921 44837
3
R.B. Yehuda, E. Shlingbaum, Y. Gershfeld et al. Forensic Science International: Digital Investigation 37 (2021) 301106
4
R.B. Yehuda, E. Shlingbaum, Y. Gershfeld et al. Forensic Science International: Digital Investigation 37 (2021) 301106
hypervisor map(kernel addr) ¼ address þ offset stress –vm-bytes 128M –timeout 80s –vm 4
These mappings are used to execute code and access general To measure memory speed, we used RAMspeed (Hollander and
management data from both the kernel and the hypervisor. Bolotoff, 2011).
hypervisor map2(physical address) ¼ physical address In Table 2 we attempted to simulate more closely real-world
computing load through the use of RAMspeed. A, B and C are lo-
These mappings are used only in the page trap function of the cations in the memory. In SCALE m is a constant.
microvisor. The trap copies the data to be used later by LiME. There is no difference when using a two-stage translation to a
single-stage translation. We have shown that IPA does not influence
memory access performance.
Table 2
that provides such introspection services under KVM. It provides
Real world load GB/s.
VM based snapshots and has an integrated volatility plugin. It was
Test COPY A ¼ B SCALE A ¼ m · B ADD A þ B ¼ C also suggested to use Lguest (Russel, 2007) or Xen (Barham et al.,
Single Stage 2.76 1.52 2.60 2003) for detection of kernel bugs (Khen et al., 2013), profiling
Dual Stage 2.74 1.52 2.53 (Menon et al., 2005), Hypertracing (Benbachir and Dagenais, 2018),
security issues (Zaidenberg and Khen, 2015), and access the guest's
memory through a thin hypervisor for remote attestation as sug-
evident that even the linear version of microvised LiME does not gested by Kiperberg et al. (2019). Forenvisor (Qi et al., 2016) uses
incur any significant performance risks. the hypervisor to grab and store forensics data on the cloud for later
inspection. Kiperberg et al. (2019) provided a system for atomic
4.4. Non-linear acquisition memory acquisition and guaranteed atomic access in 86 archi-
tecture. Kiperberg et al. approach aimed to solve two main prob-
Here we demonstrate the processor's consumption and the time lems, multiprocessing, and ASLR (address space layout
it takes to perform a nonlinear acquisition. The variable we change randomization). To handle multiprocessing in 86, Kiperberg et al.
in Table 6 and is the delay duration in each cycle. We provide used a special API to synchronize access to the page table on all
measures of the processor's consumption and the duration of the processors. Our solution handles this differently, the page table is
entire acquisition. shared on all processors, and access to the page table is synchro-
Table 6 proves that it is possible to perform an acquisition with nized using spinlocks. Regarding ASLR, this paper assumes that
very little processor consumption. The trade-off is a considerably ASLR is disabled on the suggested system.
long acquisition duration, in some cases over an hour. An additional Andrew et al. (Case and Richard, 2017) discuss page swapping
benefit of this technique is that it has a low I/O load. The method and demand paging as another obstacle to complete the acquisition
does not congest the disk, or in the network case, mild network of memory. Our technique does not acquire swap space or fetches
traffic. Thus it is possible to run the acquisition over a cellular pages of incomplete processes. At this stage, it is not clear whether
medium. the Volatility framework is capable to incorporate swap space and
on-demand pages.
5. Related work In Microsoft Windows operating systems, projects, like Power-
shell Empire (Bialek, 2020), exploit Windows PowerShell. Power-
In recent years it was proposed to use hypervisors for many shell Empire does not execute the PowerShell executable file from
the file-system but runs directly from the memory. Empire provides
security purposes such as machine introspection and debugging
(Zaidenberg, 2018). The introspection of virtual machines by the keylogging, credential theft, and more. As a result, memory foren-
sics tools fail to detect the execution of PowerShell and are forced to
hypervisor was researched heavily. Libvmi (Payne, 2012) is a library
6
R.B. Yehuda, E. Shlingbaum, Y. Gershfeld et al. Forensic Science International: Digital Investigation 37 (2021) 301106
Table 3
Total number of page faults during LiME.
Table 4
Duration of the memory dump, idle/busy modes.
Without a microvisor
Idle mode 74 72 76 1.4
Busy mode 84 83 85 0.7
With a microvisor
Idle mode 80 74 96 7.68
Busy mode 83 81 85 0.9
Table 5
Processor utilisation in Idle mode.
no microvisor 52 50 53 1
With a microvisor 48.8 39 52 4.5
Table 6
Duration of non linear acquisition.
10 ms 4860 17
20 ms 6600 12
50 ms 14520 5
disk or the network, and therefore it is possible to perform it over assisted atomic memory acquisition in modern systems. In: International
Conference on Information Systems Security and Privacy. SCITEPRESS Science
wireless embedded devices, mainly mobile phones. Our code
And Technology Publications.
footprint is considerably low, about 2200 lines of microvisor code. Langner, R., 2011. Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9 (3),
49e51.
Declaration of competing interest Levin, J., 2015. Android Dalvik and Art.
Macht, H., 2012. Dalvikvm Support for Volatility.
Menon, A., Santos, J.R., Turner, Y., Janakiraman, G.J., Zwaenepoel, W., 2005. Diag-
The authors declare that they have no known competing nosing performance overheads in the xen virtual machine environment. In:
financial interests or personal relationships that could have Proceedings of the 1st ACM/USENIX International Conference on Virtual
Execution Environments. ACM, pp. 13e23.
appeared to influence the work reported in this paper. Mulligan, D.K., Perzanowski, A.K., 2007. The magnificence of the disaster: recon-
structing the sony bmg rootkit incident. Berkeley Tech. LJ 22, 1157.
References Oktavianto, D., Muhardianto, I., 2013. Cuckoo Malware Analysis. Packt Publishing
Ltd.
Payne, B.D., 2012. Simplifying Virtual Machine Introspection Using Libvmi. Sandia
Algawi, A., Kiperberg, M., Leon, R., Resh, A., Zaidenberg, N., 2019. Creating modern
Report, pp. 43e44.
blue pills and red pills. In: ECCWS 2019 18th European Conference on Cyber
Penneman, N., Kudinskas, D., Rawsthorne, A., De Sutter, B., De Boss-chere, K., 2013a.
Warfare and Security. Academic Conferences and publishing limited, p. 6.
Formal virtualization requirements for the arm architecture. J. Syst. Architect.
Aljaedi, A., Lindskog, D., Zavarsky, P., Ruhl, R., Almari, F., 2011. Comparative analysis
59 (3), 144e154.
of volatile memory forensics: live response vs. memory imaging. In: 2011 IEEE
Penneman, N., Kudinskas, D., Rawsthorne, A., De Sutter, B., De Boss chere, K., 2013b.
Third International Conference on Privacy, Security, Risk and Trust and 2011
Formal virtualization requirements for the arm architecture. J. Syst. Architect.
IEEE Third International Conference on Social Computing. IEEE, pp. 1253e1258.
59 (3), 144e154.
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I.,
Pontiroli, S.M., Martinez, F.R., 2015. The tao of .net and powershell malware anal-
Warfield, A., 2003. Xen and the art of virtualization. In: ACM SIGOPS Operating
ysis. In: Virus Bulletin Conference.
Systems Review, vol. 37. ACM, pp. 164e177.
Qi, Z., Xiang, C., Ma, R., Li, J., Guan, H., Wei, D.S., 2016. Forenvisor: a tool for ac
Benbachir, A., Dagenais, M.R., 2018. Hypertracing: tracing through virtualization
quiring and preserving reliable data in cloud live forensics. IEEE Trans. Cloud
layers. IEEE Trans. Cloud Comput. https://doi.org/10.1109/TCC.2018.2874641.
Comput. 5 (3), 443e456.
Bialek, J., 2020. Powershell Empire. https://www.powershellempire.com.
E. D. Rotvold, D. R. Lattimer, M. J. Green, R. J. Karschnia, and M. A. Peluso. Interface
Blunden, B., 2012. The Rootkit Arsenal: Escape and Evasion in the Dark Corners of
Module for Use with a Modbus Device Network and a Fieldbus Device Network,
the System. Jones & Bartlett Publishers.
July 17 2007. US Patent 7,246,193.
Case, A., Richard III, G.G., 2017. Memory forensics: the path forward. Digit. Invest.
Russel, R., 2007. lguest: implementing the little linux hypervisor. OLS 7, 173e178.
20, 23e33.
Rutkowska, J., 2006. Introducing blue pill. The official blog of the invisible things.
Dall, C., Nieh, J., 2014. Kvm/arm: the design and implementation of the linux arm
org 22 (23).
hypervisor. ISBN 978-1-4503- 2305-5. In: Proceedings of the 19th International
Sanner, M.F., et al., 1999. Python: a programming language for software integration
Conference on Architectural Support for Programming Languages and Oper-
and development. J. Mol. Graph. Model. 17 (1), 57e61.
ating Systems, ASP LOS ’14. ACM, New York, NY, USA, pp. 333e348. https://
Sylve, J., 2012. Android mind reading: memory acquisition and analysis with dmd
doi.org/10.1145/2541940.2541946.
and volatility. In: Shmoocon 2012.
Dave, R., Mistry, N.R., Dahiya, M., 2014. Volatile memory based forensic artifacts &
Winter, J., 2008. Trusted computing building blocks for embedded linux-based arm
analysis. Int. J. Res. Appl. Sci. Eng. Technol. 2 (1), 120e124.
trustzone platforms. In: Proceedings of the 3rd ACM Workshop on Scalable
Davis, M., Bodmer, S., LeMasters, A., 2009. Hacking Exposed Malware and Rootkits.
Trusted Computing. ACM, pp. 21e30.
McGraw-Hill, Inc.
Yehuda, R.B., Zaidenberg, N.J., 2020. Protection against reverse engineering in arm.
Farmer, D., Venema, W., 2009. Forensic Discovery. Addison-Wesley Professional.
Int. J. Inf. Secur. 19 (1), 39e51.
Hoglund, G., Butler, J., 2006. Rootkits: Subverting the Windows Kernel. Addison
Zaidenberg, N.J., 2018. Hardware rooted security in industry 4.0 systems. Cyber
Wesley Professional.
Defence in Industry 4.0 Systems and Related Logistics and IT Infrastructures 51
Hollander, R.M., Bolotoff, P.V., 2011. Ram speed, a Cache and Memory Bench
(135).
Marking Tool.
Zaidenberg, N.J., Khen, E., 2015. Detecting kernel vulnerabilities during the devel-
Khen, E., Zaidenberg, N.J., Averbuch, A., Fraimovitch, E., 2013. Lgdb 2.0: using lguest
opment phase. In: 2015 IEEE 2nd International Conference on Cyber Security
for kernel profiling, code coverage and simulation. In: 2013 International
and Cloud Computing. IEEE, pp. 224e230.
Symposium on Performance Evaluation of Computer and Telecommunication
Zhang, L., Wang, L., Zhang, R., Zhang, S., Zhou, Y., 2010. Live memory acquisition
Systems (SPECTS). IEEE, pp. 78e85.
through firewire. In: International Conference on Forensics in Telecommunica
King, C.I., 2017. Stress-ng. http://kernel.ubuntu.com/git/cking/stressng.git/(visited
Tions, Information, and Multimedia. Springer, pp. 159e167.
on 28/03/2018).
Kiperberg, M., Leon, R., Resh, A., Algawi, A., Zaidenberg, N., 2019. Hypervisor