Object Scanning of Windows Kernel Driver Based on Pool Tag Quick Scanning

In the memory forensics, the Pool Tag Scanning based on the memory pool tag requires a detailed search of the physical memory when scanning the kernel driver object, which is very inefficient. The object scanning of Windows kernel driver by using the pool tag quick scanning is proposed. The method uses the quick pool tag scanning to reduce the memory range of the scan, and then scan the driver object according to the characteristics of the kernel driver object quickly, to help investigator to determine whether the driver is normal. Experimental results shows that the scanning efficiency for object scanning of kernel driver is improved greatly by using the quick pool tag scanning technology and the time spent in the scanning step is reduced while ensuring the false alarm rate is same.

[1]  Michael I. Cohen,et al.  Characterization of the windows kernel version variability for accurate memory analysis , 2015, Digit. Investig..

[2]  Yoshiyasu Takefuji,et al.  Towards a tamper-resistant kernel rootkit detector , 2007, SAC '07.

[3]  Lan Yu The Digital Investigation and Forensics of Trojan Malware , 2014 .

[4]  Tina Wu,et al.  Towards a SCADA Forensics Architecture , 2013, ICS-CSR.

[5]  Mai Yong-hao Windows RootKit Detection and Forensics , 2012 .

[6]  Michael Cohen,et al.  Anti-forensic resilient memory acquisition , 2013 .

[7]  Golden G. Richard,et al.  Pool tag quick scanning for windows memory analysis , 2016 .

[8]  Dongho Kim,et al.  Dual-Mode Kernel Rootkit Scan and Recovery with Process ID Brute-Force , 2017 .

[9]  Youngsik Kim Performance Comparison of Shadow Techniques for 3D Game Characters Based on Unity 3D , 2017 .

[10]  Tal Garfinkel,et al.  Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation , 2005, USENIX Security Symposium.

[11]  Andreas Schuster,et al.  Pool Allocations as an Information Source in Windows Memory Forensics , 2006, IMF.

[12]  Andreas Schuster,et al.  The impact of Microsoft Windows pool allocation strategies on memory forensics , 2008, Digit. Investig..

[13]  Stefan Vömel,et al.  Acquisition and analysis of compromised firmware using memory forensics , 2015, Digit. Investig..

[14]  Michael Cohen,et al.  Scanning memory with Yara , 2017, Digit. Investig..

[15]  Wonjun Lee,et al.  Hiding Kernel Level Rootkits Using Buffer Overflow and Return Oriented Programming , 2017, ICISS.

[16]  Yu Liu,et al.  A kernel stack protection model against attacks from kernel execution units , 2018, Comput. Secur..