Skip to main content

Advertisement

SpringerLink
Log in

Signature based volatile memory forensics: a detection based approach for analyzing sophisticated cyber attacks

  • Original Article
  • Published:
International Journal of Information Technology Aims and scope Submit manuscript

Abstract

Volatile memory forensics—a live forensic approach to collect real time activity based artifacts which may not be possible through postmortem forensics. Volatile memory forensics techniques inspect RAM to extract information such as passwords, encryption keys, network activity, open files and the set of processes and threads currently running within an operating system. Volatile memory dump is used for offline investigation of live data. In this research signature based artifacts identification done using keywords and default hex values. In this research various challenging scenario is discussed and using regular expressions evidence signatures are identified. Besides these scenarios recent Ransomware attacks can also be solved using volatile memory forensic analysis.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17

Similar content being viewed by others

References

  1. Ligh MH et al (2014) The art of memory forensics, 1st edn. Wiley Publishing, New York (13: 9781118825099)

    Google Scholar 

  2. Carbone R (2014) Malware memory analysis for non-specialists: investigating publicly available memory image for the Tigger Trojan horse. In: Scientific report. DRDC-RDDC- 2013-R28. DRDC. June 2014

  3. Rahman S, Khan MNA (2015) Review of live forensic analysis techniques. Int J Hybrid Inf 8(2):379–388

    Google Scholar 

  4. Leopard CB, Rowe NC, McCarrin MR (2017) Memory forensics and the Macintosh OS X operating system. International conference on digital forensics and cyber crime. Springer, Cham, pp 175–180

    Google Scholar 

  5. Hegarty R, Haggerty J (2015) SlackStick: Signature-based file identification for live digital forensics examinations. In: Proceedings of 2015 European intelligence and security informatics conference, Manchester, UK, 7–9. September 2015, pp 24–29

  6. Aljaedi A, Lindskog D, Zavarsky P, Ruhl R, Almari F (2011) Comparative analysis of volatile memory forensics: live response vs. memory imaging. In: Privacy, security, risk and trust (PASSAT) and 2011 IEEE third international conference on social computing (SocialCom), 2011 IEEE third international conference on IEEE, pp 1253–1258

  7. Garcia GL (2007) Forensic physical memory analysis: an overview of tools and techniques. In: Technical report, Helsinki University of Technology

  8. Sylve JT (2017) Towards real-time volatile memory forensics: frameworks, methods, and analysis. University of New Orleans, New Orleans

    Google Scholar 

  9. Petroni NL Jr, Walters A, Fraser T, Arbaugh WA (2006) FATKit: a framework for the extraction and analysis of digital forensic data from volatile system memory. Digit Investig 3(4):197–210

    Article  Google Scholar 

  10. Al Fahdi M, Clarke NL, Li F, Furnell SMA (2016) A suspect-oriented intelligent and automated computer forensic analysis. Digit Investig 18:65–76

    Article  Google Scholar 

  11. Li W (2013) Anti-forensic digital investigation for unauthorized intrusion on a wireless network. Dissertation, Auckland, 2013

  12. Otsuki Y, Kawakoya Y, Iwamura M, Miyoshi J, Ohkubo K (2018) Building stack traces from memory dump of Windows x64. Digit Investig 24:S101–S110

    Article  Google Scholar 

  13. Dave R, Mistry NR, Dahiya MS (2014) Volatile memory based forensic artifacts and analysis. Int J Res Appl Sci Eng Technol 2(1):120–124

    Google Scholar 

  14. Adautin ED (2015) Forensic reconstruction and analysis of residual artifacts from portable web browser. Int J Comput Appl 128(18):19–24

    Google Scholar 

  15. Jain A, Richariya V (2011) Implementing a web browser with phishing detection techniques. World Comput Sci Inf Technol J 1(7):289–291

    Google Scholar 

  16. Schatz B, Cohen M (2017) Advances in volatile memory forensics. Digit Investig 20:1

    Article  Google Scholar 

  17. Ran L, Jin H (2012) Analysis framework to detect artifacts of portable web browser

  18. Iyer RP, Atrey PK, Varshney G, Misra M (2017) Email spoofing detection using volatile memory forensics. In: Communications and network security (CNS), 2017 IEEE conference on IEEE, 2017, pp 619–625

  19. Rathnayaka C, Jamdagni A (2017) An efficient approach for advanced malware analysis using memory forensic technique. In: 2017 IEEE Trustcom/BigDataSE/ICESS: Proceedings of the 16th IEEE international conference on trust, security and privacy in computing and communications, the 11th IEEE international conference on big data science and engineering, and the 14th IEEE international conference on embedded software and systems. IEEE, Sydney, Australia, pp 1145–1150

  20. Rekhis S, Boudriga N (2012) A system for formal digital forensic investigation aware of anti-forensic attacks. IEEE Trans Inf Forensics Secur 7:635–650

    Article  Google Scholar 

  21. Zhang J, Che SB (2018) The research on Linux memory forensics. In IOP conference series: materials science and engineering, vol 322, no. 5. IOP Publishing, p 052021

  22. Rochmadi T, Riadi I, Prayudi Y (2017) Live forensics for anti-forensics analysis on private portable web browser. Int J Comput Appl 164(8):31

    Google Scholar 

  23. Case A, Richard CG (2017) Memory forensics: the path forward. Digit Investig 20:23–33

    Article  Google Scholar 

  24. Cui J, Zhang H, Qi J, Peng R, Zhang M (2017) Hidden process offline forensic based on memory analysis in windows. Wuhan Univ J Nat Sci 22(4):346–354

    Article  Google Scholar 

  25. Cheng Y, F X, Du X, Luo B, Guizani M (2016) A lightweight live memory forensic approach based on hardware virtualization. Inf Sci. https://doi.org/10.1016/j.ins.2016.07.019

    Google Scholar 

  26. Sammons J (2012) The basics of digital forensics. Syngress, Waltham

    Google Scholar 

  27. Sharafaldin I, Gharib A, Lashkari AH, Ghorbani AA (2017) BotViz: A memory forensic-based botnet detection and visualization approach. In: Security technology (ICCST), 2017 international Carnahan conference on 2017 IEEE, pp 1–8

Download references

Author information

Authors and Affiliations

  1. Institute of Forensic Science, Gujarat Forensic Sciences University, Gandhinagar, India

    Nilay R. Mistry & M. S. Dahiya

Authors
  1. Nilay R. Mistry
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. M. S. Dahiya
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nilay R. Mistry.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Mistry, N.R., Dahiya, M.S. Signature based volatile memory forensics: a detection based approach for analyzing sophisticated cyber attacks. Int. j. inf. tecnol. 11, 583–589 (2019). https://doi.org/10.1007/s41870-018-0263-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s41870-018-0263-4

Keywords

Search

Navigation