Revisiting the evaluation of atomicity and integrity of memory acquisition methods

Art der Arbeit:

Master Thesis

Betreuer:

Freiling, Felix
Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)
Telefon +49 9131 85 69901, Fax +49 9131 85 69919, E-Mail: felix.freiling@fau.de

Völzow, Victor

Beschreibung der Arbeit:

Memory acquisition is a critical aspect of live data forensics, allowing investigators to capture volatile data from running systems for analysis. This proposed thesis aims to revisit the research done by Gruhn and Freiling about "Evaluating atomicity, and integrity of correct memory acquisition methods" from 2016. In that paper the authors present a black box analysis technique to evaluate the atomicity and integrity of memory acquisition procedures. Since the publication of that research, advancements have been made in memory acquisition tools and methods. This proposed thesis will evaluate the atomicity and integrity of memory dumps acquired using state-of-the-art memory acquisition tools, including new memory acquisition methods developed after 2016.

Research Questions:

• How do current state-of-the-art memory acquisition tools perform in terms of atomicity and integrity compared to the tools evaluated in the 2016 paper?

• What new memory acquisition methods have been developed since 2016, and how do they compare to previously established methods in terms of atomicity and integrity?

• Which effects do new operating systems and hardware developments like DDR4 and DDR5 memory have in terms of atomicity and integrity of acquired memory dumps?

• How have DMA-based memory acquisition tools evolved since the publication of the original paper, and what improvements have been made to address the limitations identified in the 2016 study?

Expected Outcomes:

• An updated evaluation of the atomicity and integrity of memory dumps acquired using state-of-the-art tools and methods.

• Identification of new memory acquisition methods and their performance compared to previously established techniques.

• Observations regarding the effects of new operating system versions and updated DRAM hardware on atomicity and integrity of acquired memory dumps.

• Insights into the development and advancements of DMA-based memory acquisition tools since the publication of the original paper.

• Recommendations for future research and development in the field of memory acquisition for digital forensics.

References:

• Michael Gruhn, Felix C. Freiling: Evaluating atomicity, and integrity of correct memory acquisition methods. Digit. Investig. 16 Supplement: S1-S10 (2016)

• Jenny Ottmann, Frank Breitinger, Felix C. Freiling: An Experimental Assessment of Inconsistencies in Memory Forensics. ACM Trans. Priv. Secur. 27(1): 2:1-2:29 (2024)

Vorausgesetzte Vorlesungen bzw. Kenntnisse:

Knowledge of digital forensic science from an introductory course on digital forensics (like "Forensische Informatik").

Bearbeitungszustand:

Die Arbeit ist noch offen.