Seminar Paper - Reconstructing Java Objects from Virtual Machine Memory Dumps

In context of the seminar Cloud Computing at University of Passau, I tried to reconstruct Java objects from virual machine (VM) memory dumps. The results are summarized in this paper.

Abstract

Interest in forensic analysis of RAM memory recently grew. Said memory contains the latest accessed data which in addition often is unencrypted. As data like variable values in Java programs may be of interest for forensic experts, the volatile memory firstly has to be persisted by taking snapshots. In this work a memory dump is created on a Linux VM while a custom Java program is running. Further, approaches to acquire memory dumps remotely from a second VM on the same hypervisor are presented. Methods used for local memory acquisition are the debugger GDB and a system’s ability to create crash dumps. The remote dumping approaches failed as no further processable dump files could be generated. In the second step, the reconstruction of Java objects is done on the basis of a previously generated core dump file. First, the dump file is converted to the hprof binary file format which contains the objects in the heap. Afterwards, the actual variable values could be extracted with Oracle’s JHAT heap analyzing tool

The paper can be downloaded here .