As if Time Had Stopped -- Checking Memory Dumps for Quasi-Instantaneous Consistency

TL;DR

This paper introduces a method to measure and evaluate the quasi-instantaneous consistency of memory dumps taken from live systems, highlighting that such dumps are often not perfectly consistent in practice.

Contribution

The paper presents a novel method for assessing quasi-instantaneous consistency in memory dumps, combining theoretical validation with practical evaluation.

Findings

Memory dumps often contain inconsistencies like page smearing.

The proposed method can accurately measure quasi-instantaneous consistency.

In practice, most memory dumps are not truly quasi-instantaneously consistent.

Abstract

Memory dumps that are acquired while the system is running often contain inconsistencies like page smearing which hamper the analysis. One possibility to avoid inconsistencies is to pause the system during the acquisition and take an instantaneous memory dump. While this is possible for virtual machines, most systems cannot be frozen and thus the ideal dump can only be quasi-instantaneous, i.e., consistent despite the system running. In this article, we introduce a method allowing us to measure quasi-instantaneous consistency and show both, theoretically, and practically, that our method is valid but that in reality, dumps can be but usually are not quasi-instantaneously consistent. For the assessment, we run a pivot program enabling the evaluation of quasi-instantaneous consistency for its heap and allowing us to pinpoint where exactly inconsistencies occurred.