Memory Forensic and Analysis: Intel Architectures, Ics-fmsis-nda Presentation

Slides from Ics-fmsis-nda about Memory Forensic and Analysis. The Pdf explores memory structures, data organization, and Intel 32-bit and 64-bit architectures, including page management and the Interrupt Descriptor Table. This Computer science material is suitable for University students.

See more

58 Pages

ICS-FMSIS-NDAICS-FMSIS-NDA
MEMORY FORENSIC AND
ANALYSIS
MFS 826
PRESENTER:MR SAIFULLAHI SADI SHITU
2/23/2024 MFS 826 (Memory Forensic and Analysis)
ICS-FMSIS-NDA
ICS-FMSIS-NDA
OBJECTIVES:
2/23/2024 MFS 826 (Memory Forensic and Analysis) 2
Overview of memory structures and data organization;
PC Architecture
Intel 32-bit architecture
Intel 64-bit architecture

Unlock the full PDF for free

Sign up to get full access to the document and start transforming it with AI.

Log inSign up for free

Preview

MFS 826 (Memory Forensic and Analysis)

ICS-FMSIS-NDA ICS-FMSIS-NDA MEMORY FORENSIC AND ANALYSIS MFS 826 PRESENTER: MR SAIFULLAHI SADI SHITU 2/23/2024 MFS 826 (Memory Forensic and Analysis) 8 DEBYBINEMI OL INLEITICENCE ---ICS-FMSIS-NDA 8 TTIRUOTE XIITO OMA

Objectives

  • Overview of memory structures and data organization;
  • PC Architecture
  • Intel 32-bit architecture
  • Intel 64-bit architecture

2/23/2024 MFS 826 (Memory Forensic and Analysis) 2ICS-FMSIS-NDA 8 TTIRUOTE XIITO OMA

Overview of Memory Structures and Data Organization

  • Within the context of a digital environment, the underlying hardware ultimately dictates the constraints of what a particular system can do.
  • In the digital environment, the underlying hardware specifies the instructions that can be executed and the resources that can be accessed.
  • Investigators who can identify the unique hardware components of a system and the impact those components can have on analysis are in the best position to conduct an effective investigation.

2/23/2024 MFS 826 (Memory Forensic and Analysis) 3ICS-FMSIS-NDA 8 TTIRUOTE XIITO OMA

Overview of Memory Structures and Data Organization (Cont ...)

  • On most platforms, the hardware is accessed through a layer of software called an operating system, which controls processing, manages resources, and facilitates communication with external devices.
  • Operating systems must deal with the low-level details of the particular processor, devices, and memory hardware installed in a given system.

2/23/2024 MFS 826 (Memory Forensic and Analysis) 4ICS-FMSIS-NDA 8 TTIRUOTE XIITO OMA

PC Architecture and Memory Forensics

  • PC Architecture
  • Digital investigators who are interested in memory forensics should equip themselves with knowledge of the basic of the hardware architecture in personal computer (PC).
  • The nomenclature associated with Intel-based systems are primarily going to be use. It is important to note that the terminology has changed over time, and implementation details are constantly evolving to improve cost and performance. Although the specific technologies might change, the primary functions these components perform remain the same.

2/23/2024 MFS 826 (Memory Forensic and Analysis) 5ICS-FMSIS-NDA 8 TTIRUOTE XIITO OMA

Physical Organization of a PC

  • Physical Organization
  • A PC is composed of printed circuit boards that interconnect various components and provide connectors for peripheral devices. The main board within this type of system, the motherboard, provides the connections that enable the components of the system to communicate.
  • These communication channels are typically referred to as computer busses. This section highlights the components and busses that an investigator should be familiar with. Figure in slide 7 illustrates how the different components are typically organized.

2/23/2024 MFS 826 (Memory Forensic and Analysis) 6ICS-FMSIS-NDA

Memory Structures and Data Organization Diagram

Overview of memory structures and data organization (Cont ... ) Processor Processor Core(s) Memory Management Unit TLB Cache Memory Northbridge Front Side Bus Memory Bus Memory Controller Hub Video Card -- - -> PCI Express/AGP DMI/A-Link Southbridge I/O Controller Hub Ethernet Controller DMI/A-Link Disk Controller DMA Controller USB Controller Interrupt Controller FireWire Card PCI .- PCI/PCle Bridge V 2/23/2024 MFS 826 (Memory Forensic and Analysis) 7 8 LESTHI TO TICIMTRACIG TTIRUOTE ETATO OMAICS-FMSIS-NDA

CPU and MMU Components

Overview of memory structures and data organization (Cont ... )

  • CPU and MMU
  • The two most important components on the motherboard are the processor, which executes programs, and the main memory, which temporarily stores the executed programs and their associated data.
  • The processor is commonly referred to as the central processing unit (CPU). The CPU accesses main memory to obtain its instructions and then executes those instructions to process the data.

2/23/2024 MFS 826 (Memory Forensic and Analysis) 8ICS-FMSIS-NDA 8 TTIRUOTE XIITO OMA

CPU and MMU (Cont ...) - Caches

Overview of memory structures and data organization (Cont ... )

  • CPU and MMU (Cont ... )
  • Reading from main memory is often dramatically slower than reading from the CPU's own memory. As a result, modern systems leverage multiple layers of fast memory, called caches, to help offset this disparity. Each level of cache (L1, L2, and so on) is relatively slower and larger than its predecessor.
  • In most systems, these caches are built into the processor and each of its cores. If data is not found within a given cache, the data must be fetched from the next level cache or main memory.

2/23/2024 MFS 826 (Memory Forensic and Analysis) 9ICS-FMSIS-NDA 8 TTIRUOTE XIITO OMA

CPU and MMU (Cont ...) - Address Translation

Overview of memory structures and data organization (Cont ... )

  • CPU and MMU (Cont ... )
  • The CPU relies on its memory management unit (MMU) to help find where the data is stored. The MMU is the hardware unit that translates the address that the processor requests to its corresponding address in main memory. The data structures for managing address translation are also stored in main memory.
  • Because a given translation can require multiple memory read operations, the processor uses a special cache, known as the translation lookaside buffer (TLB), for the MMU translation table. Prior to each memory access, the TLB is consulted before asking the MMU to perform a costly address translation operation.

2/23/2024 MFS 826 (Memory Forensic and Analysis) 10ICS-FMSIS-NDA 8 TTIRUOTE XIITO OMA

North and Southbridge Functionality

Overview of memory structures and data organization (Cont ... )

  • North and Southbridge
  • The CPU relies on the memory controller to manage communication with main memory. The memory controller is responsible for mediating potentially concurrent requests for system memory from the processor(s) and devices.
  • The memory controller can be implemented on a separate chip or integrated within the processor itself. On older PCs, the CPU connected to the northbridge (memory controller hub) using the front- side-bus and the northbridge connected to main memory via the memory bus.

2/23/2024 MFS 826 (Memory Forensic and Analysis) 11ICS-FMSIS-NDA 8 TTIRUOTE XIITO OMA

North and Southbridge (Cont ...) - Modern Systems

Overview of memory structures and data organization (Cont ... )

  • North and Southbridge (Cont ... )
  • Devices (for example, network cards and disk controllers) were connected via another chip, called the southbridge or input/output controller hub, which had a single shared connection to the northbridge for access to memory and the CPU.
  • To improve performance and reduce the costs of newer systems, most capabilities associated with the memory controller hub are now integrated into the processor. The remaining chipset functionality, previously implemented in the southbridge, are concentrated on a chip known as the platform controller hub.

2/23/2024 MFS 826 (Memory Forensic and Analysis) 12ICS-FMSIS-NDA 8 TTIRUOTE XIITO OMA

Direct Memory Access (DMA)

Overview of memory structures and data organization (Cont ... )

  • Direct Memory Access
  • To improve overall performance, most modern systems provide I/O devices the capability to directly transfer data stored in system memory without processor intervention. This capability is called direct memory access (DMA).
  • Before DMA was introduced, the CPU would be fully consumed during I/O transfers and often acted as an intermediary. In modern architectures, the CPU can initiate a data transfer and allow a DMA controller to manage the data transfer, or an I/O device can initiate a transfer independent of the CPU.

2/23/2024 MFS 826 (Memory Forensic and Analysis) 13ICS-FMSIS-NDA 8 TTIRUOTE XIITO OMA

Direct Memory Access (Cont ...) - Memory Forensics Impact

Overview of memory structures and data organization (Cont ... )

  • Direct Memory Access (Cont ... )
  • Besides its obvious impact on system performance, DMA also has important ramifications for memory forensics. It provides a mechanism to directly access the contents of physical memory from a peripheral device without involving the untrusted software running on the machine.
  • For example, the PCI bus supports devices that act as bus masters, which means they can request control of the bus to initiate transactions. As a result, a PCI device with bus master functionality and DMA support can access the system's memory without involving the CPU.

2/23/2024 MFS 826 (Memory Forensic and Analysis) 14ICS-FMSIS-NDA 8 TTIRUOTE XIITO OMA

Direct Memory Access (Cont ...) - IEEE 1394 Interface

Overview of memory structures and data organization (Cont ... )

  • Direct Memory Access (Cont ... )
  • Another example is the IEEE 1394 interface, commonly referred to as Firewire. The IEEE 1394 host controller chip provides a peer-to-peer serial expansion bus intended for connecting high-speed peripheral devices to a PC. Although the IEEE 1394 interface is typically natively found only on higher-end systems, you can add the interface to both desktops and laptops using expansion cards.

2/23/2024 MFS 826 (Memory Forensic and Analysis) 15ICS-FMSIS-NDA 8 TTIRUOTE XIITO OMA

Volatile Memory (RAM)

Overview of memory structures and data organization (Cont ... )

  • Volatile Memory (RAM)
  • The main memory of a PC is implemented with random access memory (RAM), which stores the code and data that the processor actively accesses and stores.
  • In contrast with sequential access storage typically associated with disks, random access refers to the characteristic of having a constant access time regardless of where the data is stored on the media.

2/23/2024 MFS 826 (Memory Forensic and Analysis) 16ICS-FMSIS-NDA 8 TTIRUOTE XIITO OMA

Volatile Memory (RAM) (Cont ...) - Characteristics

Overview of memory structures and data organization (Cont ... )

  • Volatile Memory (RAM) (Cont ... )
  • The main memory in most PCs is dynamic RAM (DRAM). It is dynamic because it leverages the difference between a charged and discharged state of a capacitor to store a bit of data. For the capacitor to maintain this state, it must be periodically refreshed-a task that the memory controller typically performs.
  • RAM is considered volatile memory because it requires power for the data to remain accessible. Thus, except in the case of cold boot attacks, after a PC is powered down, the volatile memory is lost. This is the main reason why the "pull the plug" incident response tactic is not recommended if you plan to preserve evidence regarding the system's current state.

2/23/2024 MFS 826 (Memory Forensic and Analysis) 17

Can’t find what you’re looking for?

Explore more topics in the Algor library or create your own materials with AI.