SAM: A Mechanism to Facilitate Smear-Aware Forensic Analysis of Volatile System Memory

Page smear is a phenomenon that occurs when a system's volatile memory dump is obtained in a non-atomic manner; it's more common in systems with a lot of RAM and different workloads. It has a considerable impact on the quality and reliability of the forensic artifacts obtained, as well as the analysis of such snapshots. We present SAM, a timeline-based page table state information collection mechanism that enables a reliable memory analysis. It facilitates visualizing inconsistencies in the page table data structure and provides the investigator with a reliable source of page table information to deal with the inconsistent values.