Volatile memory forensics for the Robot Operating System

TL;DR

This paper introduces a novel volatile memory forensic tool tailored for the Robot Operating System, enabling detection of specific cyber-attacks and aiding in robotic incident investigations.

Contribution

It presents a new ROS-specific Volatility plugin and demonstrates its effectiveness in detecting attack patterns in robotic volatile memory.

Findings

The linux_rosnode plugin can detect ROS node unregistration attacks.

The forensic techniques help identify malicious activities in robotic memory.

The approach facilitates robotic incident analysis and prevention.

Abstract

The increasing impact of robotics on industry and on society will unavoidably lead to the involvement of robots in incidents and mishaps. In such cases, forensic analyses are key techniques to provide useful evidence on what happened, and try to prevent future incidents. This article discusses volatile memory forensics for the Robot Operating System (ROS). The authors start by providing a general overview of forensic techniques in robotics and then present a robotics-specific Volatility plugin named linux_rosnode, packaged within the ros_volatility project and aimed to extract evidence from robot's volatile memory. They demonstrate how this plugin can be used to detect a specific attack pattern on ROS, where a publisher node is unregistered externally, leading to denial of service and disruption of robotic behaviors. Step-by-step, common practices are introduced for performing forensic analysis and several techniques to capture memory are described. The authors finalize by introducing some future remarks while providing references to reproduce their work.