Abstract
This paper adopts a method to retrieve graphic data stored in the global memory of an NVIDIA GPU. Experimentation shows that a 24-bit TIFF formatted graphic can be retrieved from the GPU in a forensically sound manner. However, like other types of Random Access Memory, acquired data cannot be verified due to the volatile nature of the GPU memory. In this work a Color Pattern Map Test is proposed to reveal the relationship between a graphic and its GPU memory organization. The mapping arrays derived from such testing can be used to visually restore graphics stored in the GPU memory. Described ‘photo tests’ and ‘redo tests’ demonstrate that it is possible to visually restore a graphic from the data stored in GPU memory. While initial results are promising, more work is still needed to determine if such methods of data acquisition within GPU memory can be considered forensically sound.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
ACPO E-Crime Working Group: Good practice guide for computer-based electronic evidence. In: 7safe Information Security Website (2011)
Adelstein, F.: Live forensics: diagnosing your system without killing it first. Commun. ACM 49(2), 63–66 (2006)
Aljaedi, A., Lindskog, D., Zavarsky, P., Ruhl, R., Almari, F.: Comparative analysis of volatile memory forensics: live response vs. memory imaging. In: Privacy, Security, Risk and Trust (Passat) and 2011 IEEE Third International Conference on Social Computing (Socialcom), pp. 1253–1258. IEEE Press, New York (2011)
Bilby, D.: Low down and dirty: anti-forensic rootkits. In: Proceedings of Ruxcon (2006)
Breß, S., Kiltz, S., Schaler, M.: Forensics on GPU co-processing in databases research challenges, first experiments, and countermeasures. In: BTW Workshops (2013)
Campbell, W.: Volatile memory acquisition tools-a comparison across taint and correctness (2013). http://ro.ecu.edu.au/adf/115/
Center, C.C.: Steps for Recovering from a Unix or NT system compromise. Technical report, Software Engineer Institute (2001)
Claricesimmons. http://community.amd.com/community/amd-blogs/amd/blog/2013/10/30/the-new-winzip-18-with-accelerated-performance-for-amd-apus-and-gpus
Hay, B., Bishop, M., Nance, K.: Live analysis: progress and challenges. Secur. Priv. 7(2), 30–37 (2009)
Jang, K., Han, S., Han, S., Moon, S.B., Park, K.: Sslshader: cheap SSL acceleration with commodity processors. In: Nsdi (2011)
Kent, K., Chevalier, S., Grance, T., Dang, H.: Guide to Integrating Forensic Techniques into Incident Response. NIST Special Publication, 800-86 (2006)
Lee, S., Kim, Y., Kim, J., Kim, J.: Stealing Webpages rendered on your browser by exploiting GPU vulnerabilities. In: 2014 IEEE Symposium on Security and Privacy, pp. 19–33. IEEE Press, New York (2014)
McKemmish, R.: When is digital evidence forensically sound? In: Ray, I., Shenoi, S., (eds.) Advances in Digital Forensics IV. Springer (2008)
NVIDIA. http://www.nvidia.com/object/what-is-gpu-computing.html#sthash.fYjRi2ZR.dpuf
Palmer, G.: A road map for digital forensic research. In: First Digital Forensic Research Workshop, pp. 27–30, Utica, New York (2001)
Ring, S., Cole, E.: Volatile memory computer forensics to detect kernel level compromise. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 158–170. Springer, Heidelberg (2004)
Service U.S. S.: Best practices for seizing electronic evidence (2007). http://www.treas.gov/usss/electronic_evidence.shtml
Sutherland, I., Evans, J., Tryfonas, T., Blyth, A.: Acquiring volatile operating system data tools and techniques. ACM SIGOPS Operating Syst. Rev. 42(3), 65–73 (2008)
Urrea, J.M.: An analysis of Linux RAM forensics. Unpublished Doctoral Dissertation, Monterey, California, Naval Postgraduate School (2006)
Vasiliadis, G., Polychronakis, M., Ioannidis, S.: GPU-Assisted Malware. Int. J. Inf. Secur. 14(3), 289–297 (2010). http://dl.acm.org/citation.cfm?id=2777077
Wang, L., Zhang, R., Zhang, S.: A model of computer live forensics based on physical memory analysis. In: 2009 1st International Conference on Information Science and Engineering, pp. 4647–4649. IEEE Press, Nanjing (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Institute for Computer Sciences, Social informatics and Telecommunication Engineering
About this paper
Cite this paper
Zhang, Y., Yang, B., Rogers, M., Hansen, R.A. (2015). Forensically Sound Retrieval and Recovery of Images from GPU Memory. In: James, J., Breitinger, F. (eds) Digital Forensics and Cyber Crime. ICDF2C 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 157. Springer, Cham. https://doi.org/10.1007/978-3-319-25512-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-25512-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25511-8
Online ISBN: 978-3-319-25512-5
eBook Packages: Computer ScienceComputer Science (R0)