2021 14th International Conference on Security of Information and Networks (SIN), 2021, Vol.1, p.1-8
2021
Volltextzugriff (PDF)
Details
- Autor(en) / Beteiligte
- Titel
- Towards OS-Independent Memory Images Analyzing: Using Paging Structures in Memory Forensics
- Ist Teil von
- 2021 14th International Conference on Security of Information and Networks (SIN), 2021, Vol.1, p.1-8
- Ort / Verlag
- IEEE
- Erscheinungsjahr
- 2021
- Quelle
- IEEE Xplore
- Beschreibungen/Notizen
- Memory forensics is an approach for inspecting and analyzing the memory snapshots or dumps to understand the current state of a physical or virtual machine. Unfortunately, existing memory forensics tools still rely on kernel information of the target operating system (OS) to work properly, which usually depends on the availability of the kernel source code. This dependency prevents these tools from being usable against any close source OS. The goal of the research described in this paper is to make investigations of OS-independent methodology using x86 and x86_64 CPUs paging mechanism. After completing the algorithm, we implement them into a tool called MemInspect. MemInspect partially retrieves running process information from memory dumps without using any kernel information. We validated the efficacy of MemInspect under different kernels of Linux, Windows, FreeBSD, and BeOS. For all the OSes have been tested, MemInspect can successfully retrieve the hidden processes that spawn from the rootkit. We also present a detailed case study demonstrating our technique's ability to retrieve the KBeast rootkit's hidden process successfully.
- Sprache
- Englisch
- Identifikatoren
- DOI: 10.1109/SIN54109.2021.9699263Titel-ID: cdi_ieee_primary_9699263
- Format
- –
- Schlagworte
- Codes, Forensics, Kernel, Linux, memory forensics, os-independent, paging structure, process-linked list, Rootkit, Security, Virtual machining