The Forensic Analysis ToolKit
Overview
The
Forensic Analysis Toolkit (FATKit) is a new cross-platform,
modular, and extensible digital investigation framework for
analyzing volatile system memory. The
framework is intended
for researchers, law enforcement professionals, and
forensics analysts who are interested in extracting and
interpreting relevant information in the wake of a crime or
incident. FATKit was developed in response to a growing trend in the
development of offense-oriented frameworks (e.g.,
penetration/exploitation, rootkits, worms). As a result of this
coordination,
sophistication of methods and accessibility to knowledge has
continued to grow unabated in the offensive community. Many of
these technologies have begun to focus on anti-forensics
techniques, such as leveraging the complexities associated with
physical memory analysis.
FATKit automates the extraction and visualization of digital
objects found in physical memory, thereby freeing the forensic analyst
from the tedious aspects of low-level data extraction. FATKit
was designed to facilitate the extraction, analysis,
aggregation, and visualization of forensic data at various
levels of abstraction and data complexity. The framework also
includes tools to automate the development of forensic profiles
for applications, from web browsers to the operating system
kernel. Additionally, as development continues, FATKit will be
augmented to
include a set of tools and techniques to facilitate
case management.
The FATKit framework currently includes modules for
virtual address space reconstruction, virtual to physical
address translation, and visualization. The framework employs a
number of visualization and data mining techniques to improve
analysis and facilitate searching through large amounts of
data.
Features
The first release of FATKit is expected to include the
following useful features:
Architecture and Operating System Support
- Support for x86-based virtual address spaces and native
data types.
- Linux- and Windows-specific kernel analyses including
process/task enumeration, module enumeration, and memory-resident malicious code detection.
Automation, Reuse, and Extensibility
- Profile-based type system allows low-level types to be
mapped to higher-level constructs and distributed for
various software builds.
- Automated profile generation tools allow for the
extraction of low-level object formats when source code
is available.
- Scriptable analysis modules allow analysts to easily
implement specialized or proprietary extraction
techniques using a high-level language, rather than
hand-coded routines.
- Modular design allows for the easy extension to new
architectures and operating systems.
Visualization Modules
- Object Browser: The FATKit Object Browser
enables analysts to interpret binary memory objects at
the level of abstraction of the source code's high-level
language. With current support for applications that are written
in the C programming
language, the browser allows analysts to expand and
collapse in-memory objects and their nested fields, follow
pointers, and cast objects to other data formats.
- Address Space Viewer: The FATKit Address Space
Viewer allows analysts to visualize data as it appears in a
particular virtual or physical address space. The current
feature set includes color-coded objects,
hexadecimal and ASCII data representations, and support
for overlaying symbol names and analyst notes at particular
offsets. The Address Space Viewer is also integrated with
the Object Browser to allow for multiple, consistent views
of the same low-level data.
Contact and Information
FATKit was invented and is under active development by:
If you are interested in getting involved, receiving training on volatile memory forensics, or would like to a
see a demo, please contact us at 
. We are currently holding a training sessions in the Washington, D.C. area.
Support
The following companies have supported the research and development of FATKit:
Mailing List
We are currently in the process of establishing a public mailing list for discussing volatile memory analysis. If you are interested in joining please contact us at .
Publications
Journals
- N. Petroni, A. Walters, T. Fraser, and W. Arbaugh, "FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory" ,Digital Investigation Journal 3(4):197-210, December 2006.
Accepted Authors Manuscript , submitted February 2006.
- X. Jiang, F. Buchholz, A. Walters, D. Xu, Y. Wang, E. H. Spafford, "Tracing Worm Break-in and Contaminations via Process Coloring: A Provenance-Preserving Approach", IEEE Transactions on Parallel and Distributed Systems, 2007.
Conferences
- N. Petroni and M. Hicks, "Automated Detection of Persistent Kernel Control-Flow Attacks," Proc. of the 14th ACM Conference on Computer and Communications Security, October 2007.
- A. Walters and N. Petroni, "Volatools: Integrating Volatile Memory Forensics into the Digital Investigation Process," Black Hat DC 2007, February 2007.
- N. Petroni, T. Fraser, A. Walters, and W. Arbaugh, "An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data," Proc. of the 15th USENIX Security Symposium, August 2006.
- X. Jiang, A. Walters, F. Buchholz, D. Xu, Y. Wang, E. Spafford, "Provenance-Aware Tracing of Worm Break-in and Contaminations: A Process Coloring Approach", Proc. of the 26th IEEE International Conference on Distributed Computing Systems, July 2006.
- N. Petroni, T. Fraser, J. Molina, and W. Arbaugh, "Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor," Proc. of the 13th USENIX Security Symposium, August 2004.
White Papers
Talks:
- A. Walters, B. Matheny, D. White, "Using Hashing to Improve Volatile Memory Forensic Analysis," American Academy of Forensic Sciences 60th Annual Meeting. Washington, D.C., February 2008.
- A. Walters, "Advanced Volatile Memory Analysis," 2008 Department of Defense Cyber Crime Conference, January 2008.
- A. Walters, "Volatile Memory Analysis," Europol, High Tech Crime Expert Meeting, The Hague, November 2007.
- A. Walters, "Augmenting Digital Investigations with Volatile Memory Analysis," University of Wisconsin-Madison, Lockdown 2007, August 2007.
- A. Walters and N. Petroni, "Volatools: Integrating Volatile Memory Forensics into the Digital Investigation Process," Black Hat DC 2007, February 2007.
- A. Walters "FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory" Digital Forensic Research Workshop: Work In Progress, August 2006.
Related Work:
If you have any corrections or additions, please contact us at .
Papers
- B. Carrier and J. Grand, "Hardware-Based Memory Aquisition Procedure for Digital Investigations," Journal of Digital Investigations 1(1), 2004
- A. Schuster, "Searching for Processes and Threads in Microsoft Windows Memory Dumps", Proceedings of the 2006 Digital Forensic Research Workshop (DFRWS), 2006
- A. Schuster, "Pool Allocations as an Information Source in Windows Memory Forensics," International Conference on IT-Incident Management & IT-Forensics, October 2006.
- J. M. Solomon, "Computer Forensics: The Persistence of Data in Physical Memory," Bachelor of Computer Science Thesis, Univerity of Western Sydney, October 2006.
- J. Kornblum, "Exploiting the Rootkit Paradox with Windows Memory Analysis," Internaltional Journal of Digital Evidence, 5(1), Fall 2006.
- J. Kornblum, "Using Every Part of the Buffalo in Windows Memory Analysis," Digital Investigation Journal, January 2007.
- N. P. Maclean, "Acquisition and Analysis of Windows Memory," University of Strathclyde, Glasgow, April 2006.
- J. M. Urrea, "An Analysis of Linux RAM Forensics," Naval Post Graduate School Thesis, March 2006.
- S. Ring and E. Cole "Volatile Memory Computer Forensics to Detect Kernel-Level Compromise," , Information and Communications Security, December 2004.
- C. W. Rose, "Windows Live Incident Response Volatile Data Collection: Non-Disruptive User & System Memory Forensic Acquisition," White Paper, SYTEX, Inc.
- M. Burdach, "Forensic Analysis of a Live Linux System Pt. 1," Security Focus, March 2004.
- M. Burdach, "Forensic Analysis of a Live Linux System, Pt. 2," Security Focus, April 2004.
- S. Stover and M. Dickerson, "Using Memory Dumps in Digital Forensics," Usenix: login, December 2005.
- M. Burdach, "An Introduction to Windows Memory Forensic," July 2005.
- M. Burdach, "Digital Forensics of the Physical Memory," March 2005.
- J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum, "Understanding Data Lifetime via Whole System Simulation," Proc. of the 13th USENIX Security Symposium, August 2004.
- P. Szor, "Memory Scanning Under NT," Proc. of the 9th International Virus Bulletin Conference, Vancouver, Canada, 1999.
- A. Arasteh, "Forensic Memory Analysis: From Stack and Code Execution History," Proceedings of the 2007 Digital Forensic Research Workshop (DFRWS), 2007.
- B. Schatz, "BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software," Proceedings of the 2007 Digital Forensic Research Workshop (DFRWS), 2007.
- B. Dolan-Gavitt, "The VAD Tree: A Process-Eye View of Physical Memory," Proceedings of the 2007 Digital Forensic Research Workshop (DFRWS), 2007.
- J. S. Schultz, "Offline Forensic Analysis Of Microsoft Windows XP Physical Memory," Naval Post Graduate School Thesis, September 2006.
- T. Vidas, "The Acquisition and Analysis of Random Access Memory," Journal of Digital Forensic Practice, Volume 1, Issue 4 December 2006 , pages 315 - 323.
- N. Ruff, "Windows memory forensics," Journal in Computer Virology, November 2007.
- J. Solomon, E. Huebner, D. Bem, and M. Szezynska, "User data persistence in physical memory," Digital Investigation, Volume 4, Issue 2, June 2007, Pages 68-72.
Web Sites
Presentations
- M. Burdach "Physical Memory Forensics," BlackHat USA, August 2006.
- M. Burdach "Finding Digital Evidence in Physical Memory," BlackHat Federal, January 2006.
- T. Vidras "Forensic Analysis of Volatile Data Stores," The NebraskaCERT Conference, August 2006.
- H. Carvey. "Windows Memory Analysis," DoD Cyber Crime Conference, January 2007.
- T. Goldsmith, "Windows Memory Analysis- Overcoming System Amnesia to Aid the Investigative Process," DoD Cyber Crime Conference, January 2007.
- J. Kornblum, "Recovering Executables from Windows Memory Images," DoD Cyber Crime Conference, January 2007.
- T. Vidas, "Forensic Analysis of Volatile Data Stores," DoD Cyber Crime Conference, January 2007.
- J. Rutkowska, "Beyond The CPU: Defeating Hardware Based RAM Acquisition Tools (Part I: AMD case)," Black Hat DC, February 2007.
- A. Boileau, "Hit by a Bus: Physical Access Attacks with Firewire," Ruxcon 2006.
- D. Bilby, "Low Down and Dirty: Anti-Forensic Rootkits," Ruxcon 2006.
- D. Brezinski and D. Dittrich, "Intruder Discovery / Tracking and Compromise Analysis," Black Hat Las Vegas 2000. (Note: Thanks Dominique for the pointer!)
- T. Vidas, "Post-Mortem RAM Forensics," CanSecWest Applied Security Conference, April 2007.
- J. Butler and K. Kendall, "Blackout: What Really Happened," Black Hat Las Vegas 2007, July 2007.
- datagram, "Live Memory Forensics," Toorcon 9, San Diego, October 2007.
- N. Ruff and M. Suiche, "Enter Sandman (why you should never go to sleep)," PacSec Applied Security Conference, November 2007.
- B. Schatz, "Recent Developments in Volatile Memory Forensics," AusCERT Computer Security Day, Brisbane, December 2007.
- R. Branco and D. Montanaro, "KIDS - Kernel Intrusion Detection System," Hack In The Box, Dubai, April 2007.
- E. Batchev, "Solaris Kernel Dissection For Forensics and Fun," 22nd TF-CSIRT, Porto, Portugal, September 2007.
Projects
Images
Books
Legal
- Columbia Pictures et al. v. Justin Bunneli, CV 06-1093
- MDY Industries, LLC, v. Blizzard Entertainment et al., 2-06-cv-02555-PHX-DGC
Copyright © 2006,2007,2008. All rights reserved.
