SANS Digital Forensics and Incident Response Blog

The future of digital forensics

The concept behind the Memristor has been around for a long time, but they are only now starting to be built. HP's recent breakthroughs in this long touted technology will radically change the face of computing in the years to come, allowing Moore's law to continue and accelerating the advance of storage and memory space. Memristors combine several advantages of memory and disk based storage into a single unit. Basically, think of combining a flash hard drive and DRAM into one package.

Great, new tech, but how does this really impact forensics and security?

The answer is mind blowing when you think about it. Not only will the fundamentals of computational theory change when long term and short term memory start to combine; but memory will become static.

What occurs when you pull the power cord on your computer now? Now think what if the computer state remains the same (like a super-hibernate)? Think of memory forensics — this will be the norm as all storage will be memory.

This really comes into play when you consider the new tools that are starting to be released. Memoryze (from Mandiant) is a free (and yet) advanced memory tool. Mandiant has a set of Cases and Examples that details everything from digital forensics and IR (incident response) to RE (reverse engineering) and Malware Analysis. This is what we need to start thinking of in digital analysis. Memory analysis is the path of the future.

In a few years time when Memristors are available commercially, the common issues with pulling the plug will all but disappear leaving a future of memory analysis. The real power of combined forensics will come from being able to treat programs that have run as files. On top of this, carving out a running process will be a common task that provides the examiner with the allocated portions of the heap and execution stack, loaded DLLs, drivers, network packets, keystrokes and even kernel activity.

We still have a few years — HP plans to offer these commercially by 2012 and some believe that these devices will replace the existing paradigms between 2014-2016. This may be a while, but things move quickly. Blink and say hello to tomorrow...

Craig Wright, GFCA Gold #0265, is an author, auditor and forensic analyst. He has nearly 30 GIAC certifications, several post-graduate degrees and is one of a very small number of people who have successfully completed the GSE exam.

1 Comments

Posted November 18, 2008 at 5:20 PM | Permalink | Reply

johnhsawyer

Mandiant's tool is memoryze with a "y".