Abstract
Volatile memory forensics—a live forensic approach to collect real time activity based artifacts which may not be possible through postmortem forensics. Volatile memory forensics techniques inspect RAM to extract information such as passwords, encryption keys, network activity, open files and the set of processes and threads currently running within an operating system. Volatile memory dump is used for offline investigation of live data. In this research signature based artifacts identification done using keywords and default hex values. In this research various challenging scenario is discussed and using regular expressions evidence signatures are identified. Besides these scenarios recent Ransomware attacks can also be solved using volatile memory forensic analysis.
Similar content being viewed by others
References
Ligh MH et al (2014) The art of memory forensics, 1st edn. Wiley Publishing, New York (13: 9781118825099)
Carbone R (2014) Malware memory analysis for non-specialists: investigating publicly available memory image for the Tigger Trojan horse. In: Scientific report. DRDC-RDDC- 2013-R28. DRDC. June 2014
Rahman S, Khan MNA (2015) Review of live forensic analysis techniques. Int J Hybrid Inf 8(2):379–388
Leopard CB, Rowe NC, McCarrin MR (2017) Memory forensics and the Macintosh OS X operating system. International conference on digital forensics and cyber crime. Springer, Cham, pp 175–180
Hegarty R, Haggerty J (2015) SlackStick: Signature-based file identification for live digital forensics examinations. In: Proceedings of 2015 European intelligence and security informatics conference, Manchester, UK, 7–9. September 2015, pp 24–29
Aljaedi A, Lindskog D, Zavarsky P, Ruhl R, Almari F (2011) Comparative analysis of volatile memory forensics: live response vs. memory imaging. In: Privacy, security, risk and trust (PASSAT) and 2011 IEEE third international conference on social computing (SocialCom), 2011 IEEE third international conference on IEEE, pp 1253–1258
Garcia GL (2007) Forensic physical memory analysis: an overview of tools and techniques. In: Technical report, Helsinki University of Technology
Sylve JT (2017) Towards real-time volatile memory forensics: frameworks, methods, and analysis. University of New Orleans, New Orleans
Petroni NL Jr, Walters A, Fraser T, Arbaugh WA (2006) FATKit: a framework for the extraction and analysis of digital forensic data from volatile system memory. Digit Investig 3(4):197–210
Al Fahdi M, Clarke NL, Li F, Furnell SMA (2016) A suspect-oriented intelligent and automated computer forensic analysis. Digit Investig 18:65–76
Li W (2013) Anti-forensic digital investigation for unauthorized intrusion on a wireless network. Dissertation, Auckland, 2013
Otsuki Y, Kawakoya Y, Iwamura M, Miyoshi J, Ohkubo K (2018) Building stack traces from memory dump of Windows x64. Digit Investig 24:S101–S110
Dave R, Mistry NR, Dahiya MS (2014) Volatile memory based forensic artifacts and analysis. Int J Res Appl Sci Eng Technol 2(1):120–124
Adautin ED (2015) Forensic reconstruction and analysis of residual artifacts from portable web browser. Int J Comput Appl 128(18):19–24
Jain A, Richariya V (2011) Implementing a web browser with phishing detection techniques. World Comput Sci Inf Technol J 1(7):289–291
Schatz B, Cohen M (2017) Advances in volatile memory forensics. Digit Investig 20:1
Ran L, Jin H (2012) Analysis framework to detect artifacts of portable web browser
Iyer RP, Atrey PK, Varshney G, Misra M (2017) Email spoofing detection using volatile memory forensics. In: Communications and network security (CNS), 2017 IEEE conference on IEEE, 2017, pp 619–625
Rathnayaka C, Jamdagni A (2017) An efficient approach for advanced malware analysis using memory forensic technique. In: 2017 IEEE Trustcom/BigDataSE/ICESS: Proceedings of the 16th IEEE international conference on trust, security and privacy in computing and communications, the 11th IEEE international conference on big data science and engineering, and the 14th IEEE international conference on embedded software and systems. IEEE, Sydney, Australia, pp 1145–1150
Rekhis S, Boudriga N (2012) A system for formal digital forensic investigation aware of anti-forensic attacks. IEEE Trans Inf Forensics Secur 7:635–650
Zhang J, Che SB (2018) The research on Linux memory forensics. In IOP conference series: materials science and engineering, vol 322, no. 5. IOP Publishing, p 052021
Rochmadi T, Riadi I, Prayudi Y (2017) Live forensics for anti-forensics analysis on private portable web browser. Int J Comput Appl 164(8):31
Case A, Richard CG (2017) Memory forensics: the path forward. Digit Investig 20:23–33
Cui J, Zhang H, Qi J, Peng R, Zhang M (2017) Hidden process offline forensic based on memory analysis in windows. Wuhan Univ J Nat Sci 22(4):346–354
Cheng Y, F X, Du X, Luo B, Guizani M (2016) A lightweight live memory forensic approach based on hardware virtualization. Inf Sci. https://doi.org/10.1016/j.ins.2016.07.019
Sammons J (2012) The basics of digital forensics. Syngress, Waltham
Sharafaldin I, Gharib A, Lashkari AH, Ghorbani AA (2017) BotViz: A memory forensic-based botnet detection and visualization approach. In: Security technology (ICCST), 2017 international Carnahan conference on 2017 IEEE, pp 1–8
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Mistry, N.R., Dahiya, M.S. Signature based volatile memory forensics: a detection based approach for analyzing sophisticated cyber attacks. Int. j. inf. tecnol. 11, 583–589 (2019). https://doi.org/10.1007/s41870-018-0263-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41870-018-0263-4