mrsh-mem: Approximate Matching on Raw Memory Dumps

Détails

ID Serval
serval:BIB_0BFCBF5F46A5
Type
Actes de conférence (partie): contribution originale à la littérature scientifique, publiée à l'occasion de conférences scientifiques, dans un ouvrage de compte-rendu (proceedings), ou dans l'édition spéciale d'un journal reconnu (conference proceedings).
Collection
Publications
Titre
mrsh-mem: Approximate Matching on Raw Memory Dumps
Titre de la conférence
2018 11th International Conference on IT Security Incident Management & IT Forensics (IMF)
Auteur⸱e⸱s
Liebler Lorenz, Breitinger Frank
Editeur
IEEE
ISBN
9781538666326
Statut éditorial
Publié
Date de publication
05/2018
Langue
anglais
Résumé
This paper presents the fusion of two subdomains of digital forensics: (1) raw memory analysis and (2) approximate matching. Specifically, this paper describes a prototype implementation named MRSH-MEM that allows to compare hard drive images as well as memory dumps and therefore can answer the question if a particular program (installed on a hard drive) is currently running / loaded in memory. To answer this question, we only require both dumps or access to a public repository which provides the binaries to be tested. For our prototype, we modified an existing approximate matching algorithm named MRSH-NET and combined it with approxis, an approximate disassembler. Recent literature claims that approximate matching techniques are slow and hardly applicable to the field of memory forensics. Especially legitimate changes to executables in memory caused by the loader itself prevent the application of current bytewise approximate matching techniques. Our approach lowers the impact of modified code in memory and shows a good computational performance. During our experiments, we show how an investigator can leverage meaningful insights by combining data gained from a hard disk image and raw memory dumps with a practicability runtime performance. Lastly, our current implementation will be integrable into the Volatility memory forensics framework and we introduce new possibilities for providing data driven cross validation functions. Our current proof of concept implementation supports Linux based raw memory dumps.
Mots-clé
digital forensics, image matching, Linux, digital forensics, prototype implementation, MRSH-MEM, hard drive images, MRSH-NET, approximate disassembler, hard disk image, Linux based raw memory dumps, raw memory analysis, bytewise approximate matching algorithm, data driven cross validation functions, volatility memory forensics framework, Kernel, Forensics, Memory management, Linux, Approximation algorithms, Hard disks, Task analysis, Memory-analysis,-Forensic-analysis,-Approximate-matching,-Fuzzy-hashing
Création de la notice
06/05/2021 11:01
Dernière modification de la notice
06/05/2021 11:41
Données d'usage