The Forensic Analysis Toolkit (FATKit) is a new cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. The framework is intended for researchers, law enforcement professionals, and forensics analysts who are interested in extracting and interpreting relevant information in the wake of a crime or incident. FATKit was developed in response to a growing trend in the development of offense-oriented frameworks (e.g., penetration/exploitation, rootkits, worms). As a result of this coordination, sophistication of methods and accessibility to knowledge has continued to grow unabated in the offensive community. Many of these technologies have begun to focus on anti-forensics techniques, such as leveraging the complexities associated with physical memory analysis.
FATKit automates the extraction and visualization of digital objects found in physical memory, thereby freeing the forensic analyst from the tedious aspects of low-level data extraction. FATKit was designed to facilitate the extraction, analysis, aggregation, and visualization of forensic data at various levels of abstraction and data complexity. The framework also includes tools to automate the development of forensic profiles for applications, from web browsers to the operating system kernel. Additionally, as development continues, FATKit will be augmented to include a set of tools and techniques to facilitate case management.
The FATKit framework currently includes modules for virtual address space reconstruction, virtual to physical address translation, and visualization. The framework employs a number of visualization and data mining techniques to improve analysis and facilitate searching through large amounts of data.
The first release of FATKit is expected to include the following useful features:
Architecture and Operating System Support
- Support for x86-based virtual address spaces and native data types.
- Linux- and Windows-specific kernel analyses including process/task enumeration, module enumeration, and memory-resident malicious code detection.
Automation, Reuse, and Extensibility
- Profile-based type system allows low-level types to be mapped to higher-level constructs and distributed for various software builds.
- Automated profile generation tools allow for the extraction of low-level object formats when source code is available.
- Scriptable analysis modules allow analysts to easily implement specialized or proprietary extraction techniques using a high-level language, rather than hand-coded routines.
- Modular design allows for the easy extension to new architectures and operating systems.
- Object Browser: The FATKit Object Browser enables analysts to interpret binary memory objects at the level of abstraction of the source code’s high-level language. With current support for applications that are written in the C programming language, the browser allows analysts to expand and collapse in-memory objects and their nested fields, follow pointers, and cast objects to other data formats.
- Address Space Viewer: The FATKit Address Space Viewer allows analysts to visualize data as it appears in a particular virtual or physical address space. The current feature set includes color-coded objects, hexadecimal and ASCII data representations, and support for overlaying symbol names and analyst notes at particular offsets. The Address Space Viewer is also integrated with the Object Browser to allow for multiple, consistent views of the same low-level data.