Paper Info
Title
Treasure and tragedy in kmem_cache mining for live forensics investigation
Abstract
This paper presents the first deep investigation of the kmem_cache facility in Linux from a forensics perspective. The kmem_cache is used by the Linux kernel to quickly allocate and deallocate kernel structures associated with processes, files, and the network stack. Our focus is on deallocated information that remains in the cache and the major contribution of this paper is to illustrate what forensically relevant information can be retrieved from the kmem_cache and what information is definitively not retrievable. We show that the kmem_cache contains a wealth of digital evidence, much of which was either previously unavailable or difficult to obtain, requiring ad hoc methods for extraction. Previously executed processes, memory mappings, sent and received network packets, NAT translations, accessed file system inodes, and more can all be recovered through examination of the kmem_cache contents. We also discuss portable methods for erasing this information, to ensure that private data is no longer recoverable.
Year
DOI
Venue
2010
10.1016/j.diin.2010.05.006
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Keywords
DocType
Volume
accessed file system inodes,network packet,kmem_cache facility,kmem_cache mining,deallocate kernel structure,kmem_cache content,relevant information,live forensics investigation,deep investigation,deallocated information,nat translation,linux kernel
Journal
7,
Issue
ISSN
Citations 
SUPnan
Digital Investigation
8
PageRank 
References 
Authors
1.07
7
4
Name
Order
Citations
PageRank
Andrew Case113811.36
Lodovico Marziale221415.10
Cris Neckar381.07
Golden G. Richard, III416313.42