Abstract
The Windows Physical memory maintains information about the various activities on the system such as processes and their running threads, opened registry key, user authentication details with forensic importance. The cyber attacker modifies the code of the legitimate process to achieve malicious tasks and such malicious codes are not detected by the antivirus program. In order to detect the presence of malicious codes in the legitimate process, this paper suggests a framework. This framework is based on the memory mapped information of a process and its creation time. The techniques discussed in this paper have been verified on the Windows 7 and 8 volatile memory dump.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Soulami, T.: Inside Windows Debugging. Microsoft (2000)
Thomas, S., Sherly, K.K., Dija, S.: Extraction of memory forensic artifacts from Windows 7 RAM image. In: Proceedings of the IEEE Conference on Information and Communication Technologies (2013)
Hausknecht, K., Foit, D., Buric, J.: RAM Data Significance in Digital Forensics. MIPRO, Opatija, Croatia (2015)
Zhang, S., Wang, L., Zhang, R.: Exploratory study on memory analysis of Windows 7 operating system. In: 3rd International Conference on Advanced Computer Theory and Engineering (2010)
Zhang, R., Wang, L., Zhang, S.: Windows memory analysis based on KPCR. In: 5th International Conference on Information Assurance and Security (2009)
Zhang, S., Wang, L., Zhang, L.: Extracting Windows Registry Information from Physical Memory (2011)
White, A., Schatz, B., Foo, E.: Surveying the user space through user allocations. Digit. Investig. S3–S12 (2012)
Cohen, M.: Forensic analysis of windows user space applications through heap allocation. In: 3rd IEEE International Workshop on Security and Forensics in Communication Systems (2015)
Van Baar, R., Alink, W., VanBallegoojj, A.R.: Forensic memory analysis: file mapped in memory. Digit. Investig. S52–S57 (2008)
Dolan-Gavitt, B.: The VAD tree: the process-eye view of physical memory. Digit. Investig. S62–S64 (2007)
Idika, N., Mathu, A.P.: A Survey of Malware Detection Techniques (2007)
Russinovich, M., Solomon, D., Lonescu, A.: Windows Internals, Part 2, p. 195, 6th edn. Microsoft Press (2009)
Microsoft: Microsoft Portable Executable and Common Object File Format Specification. http://courses.cs.washington.edu/courses/cse378/03wi/lectures/LinkerFiles/coff.pdf (2016)
Pot, J.: Windows 10 leaps ahead of 7 amongst steam gamers. http://www.digitaltrends.com/computing/steam-users-windows-10-market-share (2016)
Ahmed, W., Aslam, B.: A Comparison of Windows Physical Memory Acquisition Tools, Milcom Cyber Security and Trusted Computing (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Patil, D.N., Meshram, B.B. (2019). Windows Physical Memory Analysis to Detect the Presence of Malicious Code. In: Sa, P., Bakshi, S., Hatzilygeroudis, I., Sahoo, M. (eds) Recent Findings in Intelligent Computing Techniques . Advances in Intelligent Systems and Computing, vol 707. Springer, Singapore. https://doi.org/10.1007/978-981-10-8639-7_1
Download citation
DOI: https://doi.org/10.1007/978-981-10-8639-7_1
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-8638-0
Online ISBN: 978-981-10-8639-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)