An adaptive approach for Linux memory analysis based on kernel code reconstruction

Memory forensics plays an important role in security and forensic investigations. Hence, numerous studies have investigated Windows memory forensics, and considerable progress has been made. In contrast, research on Linux memory forensics is relatively sparse, and the current knowledge does not meet the requirements of forensic investigators. Existing solutions are not especially sophisticated, and their complicated operation and limited treatment range are unsatisfactory. This paper describes an adaptive approach for Linux memory analysis that can automatically identify the kernel version and recovery symbol information from an image. In particular, given a memory image or a memory snapshot without any additional information, the proposed technique can automatically reconstruct the kernel code, identify the kernel version, recover symbol table files, and extract live system information. Experimental results indicate that our method runs satisfactorily across a wide range of operating system versions.

[1]  Deutsche Telekom,et al.  The impact of Microsoft Windows pool allocation strategies on memory forensics , 2016 .

[2]  William A. Arbaugh,et al.  FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[3]  Michael I. Cohen,et al.  Characterization of the windows kernel version variability for accurate memory analysis , 2015, Digit. Investig..

[4]  Mourad Debbabi,et al.  Extraction of forensically sensitive information from windows physical memory , 2009, Digit. Investig..

[5]  Lianhai Wang,et al.  Exploratory study on memory analysis of Windows 7 operating system , 2010, 2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE).

[6]  Lianhai Wang,et al.  Network Connections Information Extraction of 64-Bit Windows 7 Memory Images , 2010, e-Forensics.

[7]  Tianjie Cao,et al.  Collecting Sensitive Information from Windows Physical Memory , 2009, J. Comput..

[8]  Jesse D. Kornblum Using every part of the buffalo in Windows memory analysis , 2007, Digit. Investig..

[9]  Aaron Walters,et al.  The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory , 2014 .

[10]  Brendan Dolan-Gavitt,et al.  Forensic analysis of the Windows registry in memory , 2008, Digit. Investig..

[11]  W. Alink,et al.  Forensic memory analysis: Files mapped in memory , 2008, Digit. Investig..

[12]  Andreas Schuster,et al.  Searching for processes and threads in Microsoft Windows memory dumps , 2006, Digit. Investig..

[13]  Lianhai Wang,et al.  Windows Memory Analysis Based on KPCR , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[14]  Andrew Honig,et al.  Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software , 2012 .

[15]  Derrick J. Farmer A FORENSIC ANALYSIS OF THE WINDOWS REGISTRY , 2007 .

[16]  Golden G. Richard,et al.  Dynamic recreation of kernel data structures for live forensics , 2010, Digit. Investig..