More Web Proxy on the site http://driver.im/

research-article

Memory forensics

Authors:

Golden G. RichardAuthors Info & Claims

Digital Investigation: The International Journal of Digital Forensics & Incident Response, Volume 20, Issue C

Pages 23 - 33

https://doi.org/10.1016/j.diin.2016.12.004

Published: 01 March 2017 Publication History

Abstract

Traditionally, digital forensics focused on artifacts located on the storage devices of computer systems, mobile phones, digital cameras, and other electronic devices. In the past decade, however, researchers have created a number of powerful memory forensics tools that expand the scope of digital forensics to include the examination of volatile memory as well. While memory forensic techniques have evolved from simple string searches to deep, structured analysis of application and kernel data structures for a number of platforms and operating systems, much research remains to be done. This paper surveys the state-of-the-art in memory forensics, provide critical analysis of current-generation techniques, describe important changes in operating systems design that impact memory forensics, and sketches important areas for further research.

References

[1]

A.I. Ali-Gombe, Volatile Memory Message Carving: a Per Process Basis Approach, 2012.

[2]

, 2016. http://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html

[3]

Android, Art and Dalvik, 2016. https://source.android.com/devices/tech/dalvik/

[4]

Apple, Swift Developer Documentation, 2016. https://developer.apple.com/swift/

[5]

M. Burdach, Physical Memory Forensics, 2006. https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf

[6]

H. Carvey, Page Smear, 2005. http://seclists.org/incidents/2005/Jun/22

[7]

Case, A., Forensic memory analysis of android's dalvik vm, in: Source Seattle.

[8]

A. Case, Phalanx 2 Revealed Using Volatility, 2012. https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html

[9]

A. Case, G.G. Richard, In lieu of swap: analyzing compressed ram in mac os x and linux, in: Proceedings of the 14th Annual Digital Forensics Research Workshop (DFRWS 2014), 2014.

[10]

A. Case, G.G. Richard, Detecting objective-c malware through memory forensics, in: Proceedings of the 16th Annual Digital Forensics Research Workshop (DFRWS 2016), 2016.

Digital Library

[11]

Cisco, Reversing multilayer.net Malware, 2014. https://blogs.cisco.com/security/talos/reversing-multilayer-net-malware

[12]

CrazyLord, Playing with windows/dev/(k)mem, 2002. http://www.phrack.org/archives/issues/59/16.txt

[13]

Device guard deployment guide, . https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide

[14]

S. Esser, Targeting the Ios Kernel, 2011. http://www.slideshare.net/i0n1c/syscan-singapore-2011-stefan-esser-targeting-the-ios-kernel

[15]

D. Farmer, W. Venema, Addison-Wesley, 2005.

[16]

K. Fowler, Sql Server Database Forensics, 2007. https://www.blackhat.com/presentations/bh-usa-07/Fowler/Presentation/bh-usa-07-fowler.pdf

[17]

G. Garner, Knt Tools, 2005. http://www.gmgsystemsinc/knttools

[18]

G. Garner, Threat Protection for Linux, 2016. https://www.forcepoint.com/product/security-cloud/threat-protection-linux

[19]

H. Geek, What Is swapfile.sys and How do You Delete it?, 2015. http://www.howtogeek.com/225143/what-is-swapfile.sys-and-how-do-you-delete-it/

[20]

Google, Rekall, 2016. https://github.com/google/rekall

[21]

. http://arstechnica.com/security/2016/03/to-bypass-code-signing-checks-malware-gang-steals-lots-of-certificates/

[22]

. http://www.pcworld.com/article/3048417/malware-authors-quickly-adopt-sha-2-through-stolen-code-signing-certificates.html

[23]

. https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates

[24]

A. Ionescu, What are little patchguards made of?, 2015.

[25]

Kernel patch protection, . https://en.wikipedia.org/wiki/Kernel_Patch_Protection

[26]

M. Ligh, Movp 3.1 Detecting Malware Hooks in the Windows gui Subsystem, 2012. https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html

[27]

M. Ligh, A. Case, J. Levy, A. Walters, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory, Wiley, New York, 2014.

Digital Library

[28]

Lookout, Sophisticated, Persistent Mobile Attack against High-value Targets on Ios, 2016. https://blog.lookout.com/blog/2016/08/25/trident-pegasus/

[29]

H. Macht, Dalvikvm Support for Volatility, 2012. http://lists.volatilesystems.com/pipermail/vol-dev/2012-October/000187.html

[30]

MalwareBytes, Unpacking yet another.net Crypter, 2016. https://blog.malwarebytes.com/threat-analysis/2016/07/unpacking-yet-another-net-crypter/

[31]

masdif, Lime in Real World Android Forensics, 2014. http://lists.volatilesystems.com/pipermail/vol-users/2014-May/001254.html

[32]

MSDN, Intro to the Universal Windows Platform, 2016. https://msdn.microsoft.com/en-us/windows/uwp/get-started/universal-application-platform-guide

[33]

MSDN, Bash on Ubuntu on Windows, 2016. https://msdn.microsoft.com/en-us/commandline/wsl/about

[34]

MSDN, Download the Wdk, Windbg, and Associated Tools, 2016. https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit

[35]

niekt0, fmem, . http://hysteria.cz/niekt0/

[36]

, 2016. http://www.ntcore.com/files/netint_injection.htm

[37]

Omfw, Malware in the Windows gui Subsystem, 2012. https://volatility-labs.blogspot.com/2012/10/omfw-2012-malware-in-windows-gui.html

[38]

N. Petroni, A. Walters, T. Fraser, W. Arbaugh, Fatkit: a framework for the extraction and analysis of digital forensic data from volatile system memory, Digit. Investig., 3 (2006) 197-210.

Digital Library

[39]

Powershell empire, . https://www.powershellempire.com

[40]

J. Rutkowska, A. Tereshkin, Bluepilling the xen hypervisor, 2008.

[41]

, 2016. https://cloud.google.com/compute/docs/autoscaler/scaling-cpu-load-balancing

[42]

B. Schatz, Bodysnatcher: towards reliable volatile memory acquisition by software, Digit. Investig., 4 (2007) 126-134.

Digital Library

[43]

B. Schneier, Ddos Attacks Against dyn, 2016. https://www.schneier.com/blog/archives/2016/10/ddos_attacks_ag.html

[44]

SecureList, The Rise of.net and Powershell Malware, 2015. https://securelist.com/blog/research/72417/the-rise-of-net-and-powershell-malware/

[45]

J. Stttgen, M. Cohen, Robust linux memory acquisition with minimal target impact, Digit. Investig., 11 (2014) S112-S119.

[46]

M. Suiche, Moonsols, 2007.

[47]

M. Suiche, Windows Hibernation File for Fun nprofit, 2008.

[48]

J. Sylve, A. Case, L. Marziale, G.G. Richard, Acquisition and analysis of volatile memory from android devices, Digit. Investig., 8 (2012) 175-184.

[49]

J. Sylve, L. Marziale, G.G. Richard, Modern windows hibernation file analysis, Digit. Investig., 20 (2017) 16-22.

Digital Library

[50]

The increased use of powershell in attacks, . https://www.overleaf.com/6919029ggkynfmkjvss#/23651472/

[51]

, 2016. https://github.com/volatilityfoundation/volatility

[52]

theiphonewiki, Malware for ios, 2016. https://www.theiphonewiki.com/wiki/Malware_for_iOS#Tools_used_by_governments_.28and_similar.29_to_target_individuals

[53]

ThreatPost, Mirai-fueled iot Botnet Behind ddos Attacks on dns Providers, 2016. https://threatpost.com/mirai-fueled-iot-botnet-behind-ddos-attacks-on-dns-providers/121475/

[54]

Volexity, Powerduke: Widespread Post-election Spear Phishing Campaigns Targeting Think Tanks and ngos, 2016. https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/

[55]

Wchter, P., Gruhn, M., Practicability study of android volatile memory forensic research, in: Information Forensics and Security (WIFS), 2015 IEEE International Workshop on, IEEE, pp. 16.

[56]

A. Walters, N. Petroni, Volatools, 2007. https://www.blackhat.com/presentations/bh-dc-07/Walters/Paper/bh-dc-07-Walters-WP.pdf

[57]

WindowsITPro, Understanding Compressed Memory in Windows 10 Anniversary Edition, 2016. http://windowsitpro.com/windows-10/understanding-compressed-memory-windows-10-anniversary-edition

Cited By

Rzepka LOttmann JFreiling FBaier H(2024)Causal Inconsistencies Are Normal in Windows Memory Dumps (Too)Digital Threats: Research and Practice10.1145/36802935:3(1-20)Online publication date: 23-Jul-2024
https://dl.acm.org/doi/10.1145/3680293
Olbort MSpiekermann DKeller J(2024)Manipulating the Swap Memory for Forensic InvestigationProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670887(1-6)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670887
Kirmani MBanday M(2024)Enhancing Reliability During Physical Memory Forensics: Strategies and PracticesSN Computer Science10.1007/s42979-023-02553-y5:1Online publication date: 8-Jan-2024
https://dl.acm.org/doi/10.1007/s42979-023-02553-y
Show More Cited By

Recommendations

Methods and Tools for Investigating Attacks - Memory Forensics
ICBDT '22: Proceedings of the 5th International Conference on Big Data Technologies

The memory of network attack and the reclusion of network crime make part of the key digital evidence only exist in physical memory or temporarily stored in the page exchange file, which makes the traditional file system-based computer forensics can ...
Gaslight

Memory forensics is now a standard component of digital forensic investigations and incident response handling, since memory forensic techniques are quite effective in uncovering artifacts that might be missed by traditional storage forensics or live ...
An Experimental Assessment of Inconsistencies in Memory Forensics
Memory forensics is concerned with the acquisition and analysis of copies of volatile memory (memory dumps). Based on an empirical assessment of observable inconsistencies in 360 memory dumps of a running Linux system, we confirm a state of overwhelming ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Digital Investigation: The International Journal of Digital Forensics & Incident Response

Digital Investigation: The International Journal of Digital Forensics & Incident Response Volume 20, Issue C

March 2017

60 pages

ISSN:1742-2876

Issue’s Table of Contents

Copyright © Elsevier Ltd.

Publisher

Elsevier Science Publishers B. V.

Netherlands

Publication History

Published: 01 March 2017

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Rzepka LOttmann JFreiling FBaier H(2024)Causal Inconsistencies Are Normal in Windows Memory Dumps (Too)Digital Threats: Research and Practice10.1145/36802935:3(1-20)Online publication date: 23-Jul-2024
https://dl.acm.org/doi/10.1145/3680293
Olbort MSpiekermann DKeller J(2024)Manipulating the Swap Memory for Forensic InvestigationProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670887(1-6)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670887
Kirmani MBanday M(2024)Enhancing Reliability During Physical Memory Forensics: Strategies and PracticesSN Computer Science10.1007/s42979-023-02553-y5:1Online publication date: 8-Jan-2024
https://dl.acm.org/doi/10.1007/s42979-023-02553-y
Castelo Gómez JRuiz-Villafranca S(2024)Integrating the edge computing paradigm into the development of IoT forensic methodologiesInternational Journal of Information Security10.1007/s10207-023-00776-x23:2(1093-1116)Online publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1007/s10207-023-00776-x
Ottmann JBreitinger FFreiling F(2023)An Experimental Assessment of Inconsistencies in Memory ForensicsACM Transactions on Privacy and Security10.1145/362860027:1(1-29)Online publication date: 20-Oct-2023
https://dl.acm.org/doi/10.1145/3628600
Alshaya AKardorff AFacundus CBaggili IRichard III G(2023)Memory Forensics of the OpenDaylight Software-Defined Networking (SDN) ControllerProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3600196(1-8)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3600196
Kara I(2023)Fileless malware threatsExpert Systems with Applications: An International Journal10.1016/j.eswa.2022.119133214:COnline publication date: 15-Mar-2023
https://dl.acm.org/doi/10.1016/j.eswa.2022.119133
Hakkala AKoskinen J(2022)Personal data protection in the age of mass surveillanceJournal of Computer Security10.3233/JCS-20003330:2(265-289)Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.3233/JCS-200033
Peng LMogos G(2022)Methods and Tools for Investigating Attacks - Memory ForensicsProceedings of the 5th International Conference on Big Data Technologies10.1145/3565291.3565342(314-319)Online publication date: 23-Sep-2022
https://dl.acm.org/doi/10.1145/3565291.3565342
Angeli VAtamli AKarafili E(2022)Forensic analysis of Tor in Windows environment: A case studyProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3543808(1-10)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3543808
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents