An Experimental Assessment of Inconsistencies in Memory Forensics
Détails
Demande d'une copie Sous embargo indéterminé.
Accès restreint UNIL
Etat: Public
Version: Final published version
Licence: Non spécifiée
Accès restreint UNIL
Etat: Public
Version: Final published version
Licence: Non spécifiée
ID Serval
serval:BIB_668DD310C097
Type
Article: article d'un périodique ou d'un magazine.
Collection
Publications
Institution
Titre
An Experimental Assessment of Inconsistencies in Memory Forensics
Périodique
ACM Trans. Priv. Secur.
ISSN
2471-2566
Statut éditorial
Publié
Date de publication
01/12/2023
Peer-reviewed
Oui
Volume
27
Numéro
1
Langue
anglais
Résumé
Memory forensics is concerned with the acquisition and analysis of copies of volatile memory (memory dumps). Based on an empirical assessment of observable inconsistencies in 360 memory dumps of a running Linux system, we confirm a state of overwhelming inconsistency in memory forensics: almost a third of these dumps had an empty process list and was therefore obviously incomplete. Out of those dumps that were analyzable, almost every second dump showed some form of inconsistency that potentially impacts the interpretation of the dump in a forensic investigation. These results are based on a new way to estimate the level of causal consistency of a memory dump. The factors influencing these inconsistencies are less clear but in general correlate with the level of concurrency (system load and number of threads).
Mots-clé
inconsistencies, memory analysis, Memory forensics, memory acquisition
Site de l'éditeur
Création de la notice
14/01/2024 14:13
Dernière modification de la notice
15/01/2024 7:16