Inception: Virtual Space in Memory Space in Real Space - Memory Forensics of Immersive Virtual Reality with the HTC Vive

Virtual Reality (VR) has become a reality. With the technology's increased use cases, comes its misuse. Malware affecting the Virtual Environment (VE) may prevent an investigator from ascertaining virtual information from a physical scene, or from traditional "dead" analysis. Following the trend of anti-forensics, evidence of an attack may only be found in memory, along with many other volatile data points. Our work provides the primary account for the memory forensics of Immersive VR systems, and in specific the HTC Vive. Our approach is capable of reconstituting artifacts from memory that are relevant to the VE, and is also capable of reconstructing a visualization of the room setup a VR player was immersed into. In specific, we demonstrate that the VE, location, state and class of VR devices can be extracted from memory. Our work resulted in the first open source VR memory forensics plugin for the Volatility Framework. We discuss our findings, and our replicable approach that may be used in future memory forensics research. (C) 2019 The Author(s). Published by Elsevier Ltd on behalf of DFRWS.