Memory Architecture Flashcards

1
Q

Computer buses

A

Communication channels running between motherboard and RAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Memory Management Unit (MMU)

A

Translates the address that the processor request to its corresponding address in main memory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Translation Lookaside Buffer (TLU)

A

Because a given translation can require multiple memory read operations, the processor uses a special cache. Prior to each memory access, the TLB is consulted before asking the MMU to perform costly operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Memory Controller -

A

CPU relies on memory controller to manage communication with main memory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Direct Memory Access (DMA)

A

Provides a mechanism to directly access the contents of physical memory from a peripheral device w/out involving the untrusted software running on the machine.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Linear Address Space

A

The single continuous address space that is exposed to a running program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Physical Address Space

A

Refers to the addresses that the processor requests for accessing physical memory. These addresses are obtained by translating the linear addresses to physical ones, using one or more page tables.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Registers

A

In IA-32 architecture registers define a small amount of extremely fast memory which the CPU uses for temporary storage during processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Paging

A

Provides the ability to virtualize the linear address space. It creates an execution environment in which a large linear address space is simulated with a modest amount of physical memory and disk storage. Each 32-bit linear address space is broken up into fixed-length sections called pages which can be mapped into physical memory in arbitrary order. IA-32 architecture supports pages of size 4 MB.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Physical Address Extension (PAE)

A

Allows the processor to support physical address spaces greater than 4 GB.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Interrupt Descriptor Table (IDT)

A

PC architectures provide a mechanism for interrupting process execution and passing control to a privileged mode software routine. The routines are stored in the IDT.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Interrupt Service Routine (ISR)

A

The IDT contrains the address of the ISR that can handle the particular interrupt or exception. In the event of an interrupt or exception, the specified interrupt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Thread

A

the basic unit of CPU utilization and execution. A thread is often characterized by a thread ID, CPU register set, and execution stack(s).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Process

A

An instance of a program executing memory. A process’s thread shares the same code, data, address space, and operating system resources. Acts as a container for system resources that are accessible to its threads.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

CPU Scheduling

A

Operating system’s capability to distribute CPU execution time among multiple threads.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Context Switching

A

Switching execution of one thread to another. During a context switch the OS suspends the execution of a thread and stores its execution context in main memory. The OS then retrieves the execution context of another thread from memory, updates the state of the CPU registers, and resumes execution where it was previously suspended.

17
Q

Use of Context Switching for Forensics

A

The saved execution context associated with suspended threads can provide valuable insight during memory analysis such as which section of code were being executed or which parameters were passed to system calls.

18
Q

Tracked Operating System Resources

A

Processes, threads, files, network sockets, synchronization objects, and regions of shared memory.

19
Q

Virtual Memory

A

OSs provide each process with its own private virtual address space. This abstraction creates a separation between the logical memory that a process sees and the actual physical memory installed on the machine. During execution the memory manager and the MMU work together to translate the virtual address into physical addresses.

20
Q

OS Memory vs. Private Memory

A

The range of addresses reserved for the OS is generally consisten across all processes, whereas the private ranges depend on the process that is executing. With the support of the hardware, the memory manager can partition the data to prevent a malicious or misbehaving process from reading or writing memory that belongs to kernel memory or other processes.

21
Q

Demand Paging

A

Mechanism that is commonly used to implement virtual memory–a memory management policy for determining which regions are resident in main memory and which are moved to a slower secondary storage when the need arises.

22
Q

Page File or Swap

A

Refers to a file or partition on an internal disk, the most common secondary storage. A demand paging implementation attemps to load only the pages that are actually needed into memory as opposed to entire processes.

23
Q

Locality of Reference

A

Based on the observation that memory locations are likely to be frequently accessed in a short period of time, as are their neighbors. To improve performance and stability, an OS’s memory manager has a mechanism for designating which regions of memory are paged versus those that must remain resident.

24
Q

Shared Memory

A

Commonly used to conserve physical memory. Instead of allocating multiple physical pages that contain the same data, you can create a single instance of the data in physical memory and map various regions of virtual memory to it.

25
Q

Copy-on-Write

A

Related to shared memory. Allows the memory manager to defer making a private copy of the data within a process’ address space until the memory has been modified. After the page is written to, the memory manager allocates the private copy of that page with the associated modifications and updates the virtual memory mappings for that process. The other processes are unaffected and still map to the original shared page.

26
Q

Heap

A

Application data that needs to be dynamically allocated is stored within the heap region. Unlike data allocated on the stack, which persists only for the scope of a function, the data allocated within the heap can persist for the lifetime of the process. A heap stores information whose length and contents may not be known at compile time.

27
Q

What data is found in the heap?

A

Data read from files on disk, data transferred over the network, and input typed into a keyboard.

28
Q

Accessing File System Storage Block

A

Unlike volatile main memory, OSs use secondary storage to manage persistent data objects that a user wants to access for a timeframe longer than the lifetime of a particular process. Data stored in files must be loaded into memory when they are needed. The OS also caches frequently accessed data in main memory to reduce the overhead associated with it.

29
Q

Compare Cached File Data to Data Stored on Disk

A

By comparing cached data with the data stored on disk, investigators can identify modifications made to memory-resident data. Additionally, investigators might find memory artifacts in crash dumps or hibernation files.

30
Q

Device Drivers

A

Typically communicate with the registers of the device controller. OSs use device drivers to implement virtual memory via a software device.

31
Q

I/O Controls (IOCTLs)

A

Allow a user application to communicate with a kernel mode device driver. The also provide a mechanism for third-party hardware devices and drivers to define their own interfaces and functionality. Memory forensics can detect modified or unknown IOCTLs and provide valuable insight into how attackers leverage them.

32
Q

Hibernation File Contains

A

Contains a compressed copy of memory that the system dumps to disk during the hibernation process. (Header: ‘PO_MEMORY_IMAGE’)

33
Q

Volatility Hibernation File Analysis Requirements

A

Every time you run a command, you need to decompress certain segments or you can decompress the entire memory dump once (using the imagecopy command)

34
Q

Pool Tag

A

specifies a four-byte value, typically composed of ASCII characters that should uniquely identify the code path taken to produce the allocation.