Attention Deficit Disorder (ADD)

A Concept tool that allows cyber-criminals to conceal their tracks by altering memory contents.

During Shmoo-Con 2014 Jacob Williams, Chief Scientist at CSR-Group and creator of DropSmack along with co-presenter Alissa Torres, a digital-forensics investigator with Sibertor Forensics, described a concept tool that will force forensic scientists to rethink how they analyze memory used in computing equipment.

According to Mr. Williams, Digital forensic scientists can no longer trust their automated tools when looking for information from memory dumps. It will soon be possible to manipulate stored data in memory and mislead experts. Thus Forensic scientists and digital-crime investigators will have their work cut out and will have to spend more time validating results.

Basically, a memory dump is a snapshot of everything running on a computer. A forensic analyst will use tools to parse through a memory dump looking for artifacts of a crime or misconduct, etc. If you think about your average computer today, it might have a 1TB hard drive, but only 4GB of RAM. This data on the hard drive is unencrypted for processing in memory. Memory offers an analyst a much confined space to search for the following things:

  1. Evidence of private browsing sessions that are never written to disk
  2. Malware that only operates in memory without ever touching the disk
  3. Unsaved files
  4. Passwords typed into forms and applications

For example recently, a company told a computer employee his services were no longer needed for his hand in data manipulation, but they didn’t actually terminate him for weeks. During that time, the employee attempted to remove traces of his illicit activity from the computer. He then challenged the termination, claiming there was no evidence for what the company alleged. The company,using memory forensics, showed that the employee altered the computer in an incriminating fashion after his termination.

The work of the ADD tool is that it creates fake artifacts in memory before a memory dump is taken. Specifically, ADD allows an attacker to preposition fake files, network connections, and processes in memory. If the computer is confiscated, and a memory dump obtained by a forensic analyst: the fake artifacts will make him wander in a maze. It is named so because its use would distract forensics analysts from examining the legitimate artifacts while they chase down forgeries.

Source :