Sie befinden Sich nicht im Netzwerk der Universität Paderborn. Der Zugriff auf elektronische Ressourcen ist gegebenenfalls nur via VPN oder Shibboleth (DFN-AAI) möglich. mehr Informationen...
MemInspect2: OS-Independent Memory Forensics for IoT Devices in Cybercrime Investigations
Ist Teil von
2022 IEEE/ACIS 22nd International Conference on Computer and Information Science (ICIS), 2022, p.162-169
Ort / Verlag
IEEE
Erscheinungsjahr
2022
Link zum Volltext
Quelle
IEEE/IET Electronic Library (IEL)
Beschreibungen/Notizen
In the age of rapid development of the Internet of Things (IoT) world, more and more cybersecurity incidents have emerged in many IoT devices and systems. Therefore, the need for cybercrime investigation, especially for IoT devices, has become more imperative than ever. Memory forensics, the approach that inspects the memory dump to understand the current state or behavior of the attacked machine, contributes an important position in digital forensics and incident response for IoT systems. However, memory forensics encounter various challenges, including virtual address space (VAS) reconstruction or extracting kernel data structure in a given memory image. Most current tools and approaches leverage the knowledge of the operating system or propose heuristics to evade the commission of rebuilding VAS. In this research, we present our novel methodology to reconstruct the VAS for the memory images by using the paging mechanism of the Central Processing Unit (CPU), primarily for the ARM architectures (32 and 64 bit), one of the most popular microprocessors in the IoT world. In addition, with the support of VAS, we extract the typical kernel data structure like the process linked list. Finally, we build a MemInspect2 toolset that gathers all algorithms, and we also test the tool in many standard OS kernels like Linux and BSD.