Live Acquisition Di...
 
Notifications
Clear all

Live Acquisition Dissertation Help

7 Posts
2 Users
0 Likes
341 Views
(@tmcshee)
Posts: 4
New Member
Topic starter
 

I am doing a project for my dissertation which revolves around live acquisition. I have been inserting the string 'monkey spanner wrench' into RAM 10000 times and acquiring it after differing time intervals. The aim of the investigation is to determine whether live acquisition is relevant after certain amounts of time.

The process starts with the computer being powered on, I insert the string of text by copying it from a file (which isn't present on the computers HDD but is on an external device) and then closing the text file. I leave the computer for 0 mins - 12 hours and acquire the RAM. After each acquisition the computer is shut down (not restarted) and powered back on and the process is repeated.

I am doing the investigation across Windows 7, OS X 10.8.6 and Ubuntu 12.04.4. Currently I have only completed the acquisition for the Windows system and am in the process of OS X. My results for windows are as follows (time the computer idol time is on the left and search hits on the right)

Windows 7
0 Mins - 38586 Hits
10 Mins - 16859 Hits
20 Mins - 22863 Hits
40 Mins - 15524 Hits
1 Hour - 38399 Hits
2 Hours - 18593 Hits
4 Hours - 21824 Hits
8 Hours - 21494 Hits
12 Hours - 23054 Hits

OS X
0 Mins - 101162 Hits
10 Mins - 91682 Hits
20 Mins - 68977 Hits
40 Mins - 104969 Hits
1 Hour - 88758 Hits
2 Hours - 41331 Hits
I haven't finished the remaining tests as of yet.

My question is, how is the data in RAM multiplying like this, when there were originally 10000 copies of the string 'monkey spanner wrench' inserted?

My project supervisor and I believe it could be due to the paging process, however the page files all have 0 Hits for the string.

Any help would be appreciated.

 
Posted : 13/03/2014 3:06 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Not enough data to compute.

I insert the string of text by copying it from a file (which isn't present on the computers HDD but is on an external device) and then closing the text file.

How EXACTLY are you doing this? (on the Windows)
I mean like opening the .txt file on the external device (with Notepad), opening a new instance of Notepad, selecting the whole contents of the first windows, then copy->paste on the second (empty) Notepad window?
Then is this second instance of Notepad left open?
Is the clipboard cleared?

How EXACTLY are you acquiring the RAM?
How EXACTLY are you carving it for the string?
WHICH EXACT services are run during the "waiting time"?
Are you making (how?) a log of these processes activities?

etc., etc.

jaclaz

 
Posted : 13/03/2014 3:37 pm
(@tmcshee)
Posts: 4
New Member
Topic starter
 

I open the text file from my external hard drive, cut the contents and close the text file without saving. The copied data is not pasted into any new file. The clipboard data is cleared when the computer is shut down.

I am using AccessData FTK Imager to acquire the RAM and Pagefile at the same time and using Encase to run a key word search over the files. There are no processes running on the machine that I have initiated, only background processes running on the machine.

There is no log of process activities because I am not initiating any processes myself.

 
Posted : 13/03/2014 3:47 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

JFYI, the answer to the question

How EXACTLY are you doing this? (on the Windows)
I mean like opening the .txt file on the external device (with Notepad), opening a new instance of Notepad, selecting the whole contents of the first windows, then copy->paste on the second (empty) Notepad window?
Then is this second instance of Notepad left open?

is not

I open the text file from …

Are you using Notepad or another program?

The clipboard data is cleared when the computer is shut down.

I.e. it is not cleared.

I am using AccessData FTK Imager to acquire the RAM and Pagefile at the same time and using Encase to run a key word search over the files.

Good. )

There are no processes running on the machine that I have initiated, only background processes running on the machine.

There is no log of process activities because I am not initiating any processes myself.

Well, the fact that you did not initiate them doesn't mean that any number of processes (initiated by the system) are not running in the background, and those may depend on a number of settings, on the software that was installed to that machine, etc., etc.
Just as an example, not necessarily related, Windows 7, roughly once a week, will defragment the filesystem or however check it.

Now back to the original issue, have you checked the contents of the clipboard after having "cut" the text?
This tool is suited for this
http//www.nirsoft.net/utils/inside_clipboard.html

If I write (once) "monkey spanner wrench" in Notepad (on Windows XP) and then copy it to the clipboard, Inside Clipboard viewer shows me 3 (three) instances of the text, respectively
CF_TEXT
CF_OEMTEXT
CF_UNICODETEXT

It is entirely possible that Windows 7 (or the program you are using, be it Notepad or other) adds a 4th instance, that would make the "base" reference 40000. ?

jaclaz

 
Posted : 13/03/2014 4:20 pm
(@tmcshee)
Posts: 4
New Member
Topic starter
 

sorry for being vague. I downloaded the program it shows CF_TEXT, CF_OEMTEXT and CF_UNICODETEXT. This would explain the apparent duplication of the results.

Also would you be able to shed some light on why the search hits are decreasing and increasing in what appears to be a pattern? I would of thought it would the amount of hits would stay the same or slowly decrease over time.

 
Posted : 13/03/2014 4:32 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Also would you be able to shed some light on why the search hits are decreasing and increasing in what appears to be a pattern? I would of thought it would the amount of hits would stay the same or slowly decrease over time.

Not really, but I may suggest you to use a different string.

I would use a tool to have an idea of where exactly in RAM the data goes
http//technet.microsoft.com/en-us/sysinternals/ff700229.aspx
may probably do ?

Or a hex/Ram editor or debugger.

And use an "indexed" string, *like*
0000monkeyspannerwrench0000
0001monkeyspannerwrench1000
0002monkeyspannerwrench2000
….
2FFFmonkeyspannerwrenchFFF2

this would give you 3 sets of 4096 repeated strings or 48 sets of 256 repeated strings that may help you to understand which strings are where and which one are actually deleted/overwritten.

I know that you can do a binary compare of the memory shots, but I believe you may gather "better" data with an "indexed" approach.

jaclaz

 
Posted : 13/03/2014 5:45 pm
(@tmcshee)
Posts: 4
New Member
Topic starter
 

Thanks for the help D

I'll give it a go!

 
Posted : 13/03/2014 6:02 pm
Share: