Advertisement

Signature based volatile memory forensics: a detection based approach for analyzing sophisticated cyber attacks

  • Nilay R. Mistry
  • M. S. Dahiya
Original Article
  • 3 Downloads

Abstract

Volatile memory forensics—a live forensic approach to collect real time activity based artifacts which may not be possible through postmortem forensics. Volatile memory forensics techniques inspect RAM to extract information such as passwords, encryption keys, network activity, open files and the set of processes and threads currently running within an operating system. Volatile memory dump is used for offline investigation of live data. In this research signature based artifacts identification done using keywords and default hex values. In this research various challenging scenario is discussed and using regular expressions evidence signatures are identified. Besides these scenarios recent Ransomware attacks can also be solved using volatile memory forensic analysis.

Keywords

RAM Malware Signature Forensic Investigation Network Cyber security 

References

  1. 1.
    Ligh MH et al (2014) The art of memory forensics, 1st edn. Wiley Publishing, New York (13: 9781118825099) Google Scholar
  2. 2.
    Carbone R (2014) Malware memory analysis for non-specialists: investigating publicly available memory image for the Tigger Trojan horse. In: Scientific report. DRDC-RDDC- 2013-R28. DRDC. June 2014Google Scholar
  3. 3.
    Rahman S, Khan MNA (2015) Review of live forensic analysis techniques. Int J Hybrid Inf 8(2):379–388Google Scholar
  4. 4.
    Leopard CB, Rowe NC, McCarrin MR (2017) Memory forensics and the Macintosh OS X operating system. International conference on digital forensics and cyber crime. Springer, Cham, pp 175–180Google Scholar
  5. 5.
    Hegarty R, Haggerty J (2015) SlackStick: Signature-based file identification for live digital forensics examinations. In: Proceedings of 2015 European intelligence and security informatics conference, Manchester, UK, 7–9. September 2015, pp 24–29Google Scholar
  6. 6.
    Aljaedi A, Lindskog D, Zavarsky P, Ruhl R, Almari F (2011) Comparative analysis of volatile memory forensics: live response vs. memory imaging. In: Privacy, security, risk and trust (PASSAT) and 2011 IEEE third international conference on social computing (SocialCom), 2011 IEEE third international conference on IEEE, pp 1253–1258Google Scholar
  7. 7.
    Garcia GL (2007) Forensic physical memory analysis: an overview of tools and techniques. In: Technical report, Helsinki University of TechnologyGoogle Scholar
  8. 8.
    Sylve JT (2017) Towards real-time volatile memory forensics: frameworks, methods, and analysis. University of New Orleans, New OrleansGoogle Scholar
  9. 9.
    Petroni NL Jr, Walters A, Fraser T, Arbaugh WA (2006) FATKit: a framework for the extraction and analysis of digital forensic data from volatile system memory. Digit Investig 3(4):197–210CrossRefGoogle Scholar
  10. 10.
    Al Fahdi M, Clarke NL, Li F, Furnell SMA (2016) A suspect-oriented intelligent and automated computer forensic analysis. Digit Investig 18:65–76CrossRefGoogle Scholar
  11. 11.
    Li W (2013) Anti-forensic digital investigation for unauthorized intrusion on a wireless network. Dissertation, Auckland, 2013Google Scholar
  12. 12.
    Otsuki Y, Kawakoya Y, Iwamura M, Miyoshi J, Ohkubo K (2018) Building stack traces from memory dump of Windows x64. Digit Investig 24:S101–S110CrossRefGoogle Scholar
  13. 13.
    Dave R, Mistry NR, Dahiya MS (2014) Volatile memory based forensic artifacts and analysis. Int J Res Appl Sci Eng Technol 2(1):120–124Google Scholar
  14. 14.
    Adautin ED (2015) Forensic reconstruction and analysis of residual artifacts from portable web browser. Int J Comput Appl 128(18):19–24Google Scholar
  15. 15.
    Jain A, Richariya V (2011) Implementing a web browser with phishing detection techniques. World Comput Sci Inf Technol J 1(7):289–291Google Scholar
  16. 16.
    Schatz B, Cohen M (2017) Advances in volatile memory forensics. Digit Investig 20:1CrossRefGoogle Scholar
  17. 17.
    Ran L, Jin H (2012) Analysis framework to detect artifacts of portable web browserGoogle Scholar
  18. 18.
    Iyer RP, Atrey PK, Varshney G, Misra M (2017) Email spoofing detection using volatile memory forensics. In: Communications and network security (CNS), 2017 IEEE conference on IEEE, 2017, pp 619–625Google Scholar
  19. 19.
    Rathnayaka C, Jamdagni A (2017) An efficient approach for advanced malware analysis using memory forensic technique. In: 2017 IEEE Trustcom/BigDataSE/ICESS: Proceedings of the 16th IEEE international conference on trust, security and privacy in computing and communications, the 11th IEEE international conference on big data science and engineering, and the 14th IEEE international conference on embedded software and systems. IEEE, Sydney, Australia, pp 1145–1150Google Scholar
  20. 20.
    Rekhis S, Boudriga N (2012) A system for formal digital forensic investigation aware of anti-forensic attacks. IEEE Trans Inf Forensics Secur 7:635–650CrossRefGoogle Scholar
  21. 21.
    Zhang J, Che SB (2018) The research on Linux memory forensics. In IOP conference series: materials science and engineering, vol 322, no. 5. IOP Publishing, p 052021Google Scholar
  22. 22.
    Rochmadi T, Riadi I, Prayudi Y (2017) Live forensics for anti-forensics analysis on private portable web browser. Int J Comput Appl 164(8):31Google Scholar
  23. 23.
    Case A, Richard CG (2017) Memory forensics: the path forward. Digit Investig 20:23–33CrossRefGoogle Scholar
  24. 24.
    Cui J, Zhang H, Qi J, Peng R, Zhang M (2017) Hidden process offline forensic based on memory analysis in windows. Wuhan Univ J Nat Sci 22(4):346–354CrossRefGoogle Scholar
  25. 25.
    Cheng Y, F X, Du X, Luo B, Guizani M (2016) A lightweight live memory forensic approach based on hardware virtualization. Inf Sci.  https://doi.org/10.1016/j.ins.2016.07.019 CrossRefGoogle Scholar
  26. 26.
    Sammons J (2012) The basics of digital forensics. Syngress, WalthamGoogle Scholar
  27. 27.
    Sharafaldin I, Gharib A, Lashkari AH, Ghorbani AA (2017) BotViz: A memory forensic-based botnet detection and visualization approach. In: Security technology (ICCST), 2017 international Carnahan conference on 2017 IEEE, pp 1–8Google Scholar

Copyright information

© Bharati Vidyapeeth's Institute of Computer Applications and Management 2018

Authors and Affiliations

  1. 1.Institute of Forensic Science, Gujarat Forensic Sciences UniversityGandhinagarIndia

Personalised recommendations