An Experimental Assessment of Inconsistencies in Memory Forensics
Details
Request a copy Under indefinite embargo.
UNIL restricted access
State: Public
Version: Final published version
License: Not specified
UNIL restricted access
State: Public
Version: Final published version
License: Not specified
Serval ID
serval:BIB_668DD310C097
Type
Article: article from journal or magazin.
Collection
Publications
Institution
Title
An Experimental Assessment of Inconsistencies in Memory Forensics
Journal
ACM Trans. Priv. Secur.
ISSN
2471-2566
Publication state
Published
Issued date
01/12/2023
Peer-reviewed
Oui
Volume
27
Number
1
Language
english
Abstract
Memory forensics is concerned with the acquisition and analysis of copies of volatile memory (memory dumps). Based on an empirical assessment of observable inconsistencies in 360 memory dumps of a running Linux system, we confirm a state of overwhelming inconsistency in memory forensics: almost a third of these dumps had an empty process list and was therefore obviously incomplete. Out of those dumps that were analyzable, almost every second dump showed some form of inconsistency that potentially impacts the interpretation of the dump in a forensic investigation. These results are based on a new way to estimate the level of causal consistency of a memory dump. The factors influencing these inconsistencies are less clear but in general correlate with the level of concurrency (system load and number of threads).
Keywords
inconsistencies, memory analysis, Memory forensics, memory acquisition
Publisher's website
Create date
14/01/2024 14:13
Last modification date
15/01/2024 7:16