Memory Layout Extraction and Verification Method for Reliable Physical Memory Acquisition

Physical memory acquisition is a prerequisite when performing memory forensics, referring to a set of techniques for acquiring and analyzing traces associated with user activity information, malware analysis, cyber incident response, and similar areas when the traces remain in the physical RAM. However, certain types of malware have applied anti-memory forensics techniques to evade memory analysis strategies or to make the acquisition process impossible. To disturb the acquisition process of physical memory, an attacker hooks the kernel API, which returns a map of the physical memory spaces, and modifies the return value of the API, specifically that typically used by memory acquisition tools. Moreover, an attacker modifies the kernel object referenced by the kernel API. This causes the system to crash during the memory acquisition process or causes the memory acquisition tools to incorrectly proceed with the acquisition. Even with a modification of one byte, called a one-byte modification attack, some tools fail to acquire memory. Therefore, specialized countermeasure techniques are needed for these anti-memory forensics techniques. In this paper, we propose a memory layout acquisition method which is robust to kernel API hooking and the one-byte modification attack on NumberOfRuns, the kernel object used to construct the memory layout in Windows. The proposed acquisition method directly accesses the memory, extracts the byte array, and parses it in the form of a memory layout. When we access the memory, we extract the _PHYSICAL_MEMORY_DESCRIPTOR structure, which is the basis of the memory layout without using the existing memory layout acquisition API. Furthermore, we propose a verification method that selects a reliable memory layout. We realize the verification method by comparing NumberOfRuns and the memory layout acquired via the kernel API, the registry, and the proposed method. The proposed verification method guarantees the reliability of the memory layout and helps secure memory image acquisition through a comparative verification with existing memory layout acquisition methods. We also conduct experiments to prove that the proposed method is resistant to anti-memory forensics techniques, confirming that there are no significant differences in time compared to the existing tools.