WORKSHOP - Investigating Live CDs using Volatility and Physical Memory Analysis presented at BlackhatUSA 2011

by Andrew Case,


Summary : Traditional digital forensics encompasses the examination of data from an offline or "dead" source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a large problem for this forensics model though as they run solely in RAM and do not interact with the local disk. This removes the ability to perform an orderly examination since the filesystem is no longer readily available and putting random pages of data into context can be very difficult for in-depth investigations.
During this workshop we will perform a hands-on investigation of a live CD memory capture. This will include using newly developed Volatility functionality that allows for complete recovery of the in-memory filesystem. After we have recovered the filesystem, we will then gather traditional in-memory information such as process listings, memory maps, open files, and network connections. We will finish the investigation by correlating recovered data to solve the case and formulate our final results. Throughout the workshop there will be illustrations of the in-memory data structures being recovered as well as numerous source code examples, both from the Linux kernel as well as the Volatility scripts being used.
Upon conclusion of the workshop, attendees will have an understanding of the power of memory analysis, the unique issues presented by live CDs, and will be able to use Volatility in real forensics investigations. To participate, attendees only need to bring a laptop with Python installed. The live demonstrations will be done using Linux, but Windows and Mac users will also be able to fully participate. All workshop-specific materials will be provided by the instructor.