Memory Forensics on ML Processes
Virtually every piece of data computer processors interact with must pass through volatile memory (RAM). It’s where the CPU manages process data structures and thus presents an excellent opportunity for digital forensics. Despite complexities that arise due to the dynamic and volatile nature of RAM, it is possible to extract a great deal of information from a snapshot of memory. In this article, I introduce you to convolutional neural networks and existing memory forensics tools to ultimately create a novel plugin for Volatility that automates the recovery of PyTorch models from machine learning processes.
Overview
| Steps | Tools |
|---|---|
| 1. Build a convolutional neural network | PyTorch |
| 2. Inspect the running Python ML process | GDB & PDB |
| 3. Gather a memory image of the system | LiME |
| 4. Inspect the memory image | Volatility3 |
| 5. Develop a Volatility3 plugin to recover ML models |
System Requirements
- Linux native or Linux VM
- 8 GB RAM
Versions
- Python 3.10.6
- PyTorch 2.0.0
Bibliography
[1] Deep Learning with PyTorch - Chintala
[2] The Art of Memory Forensics - Ligh, Case, Levy, Walters
[3] Volatility Docs
[4] Advances in Memory Forensics - Pagani