Semester of Graduation

Spring 2022

Degree

Master of Science in Computer Science (MSCS)

Department

Computer Science

Document Type

Thesis

Abstract

Memory forensics allows an investigator to analyze the volatile memory (RAM) of a computer, providing a view into the system state of the machine as it was running. Examples of items found in memory samples that are of interest to investigators are kernel data structures which can represent processes, files, and sockets. The SLUB allocator is the default small-request memory allocator for modern Linux systems. SLUB allocates “slabs”, which are contiguous sections of pre-allocated memory that are used to efficiently service allocation requests. The predecessor to SLUB, the SLAB allocator, tracked every slab it allocated, allowing extraction of allocated slabs relatively easily from a memory forensics perspective. One of the changes introduced by SLUB, is that SLUB may not always track slabs once they become full. This has posed an issue with memory forensics, as it removes the tracking mechanisms previously leveraged to extract slabs. We researched and developed a technique that uses a mix of carving and linked list enumeration to locate slabs allocated by SLUB. This technique finds objects that are allocated by SLUB and carves in adjacent memory spaces to find similar objects. We implemented our technique in a Volatility plugin slab_carve and demonstrate its ability to extract artifacts from memory. The addition of the developed plugin to the Volatility framework will allow investigators to recover a wealth of information that has previously been missing since the Linux kernel's switch from the SLAB to SLUB allocator. This newly available information can aid recovery of further system state, reconstruct activities of attackers that abuse a system, and recover traces of malware.

Committee Chair

Richard, Golden

DOI

10.31390/gradschool_theses.5574

Share

COinS