论文信息 - Digital Forensic Analysis on Runtime Instruction Flow

Digital Forensic Analysis on Runtime Instruction Flow

Computer system’s runtime information is an essential part of the digital evidence. Current digital forensic approaches mainly focus on memory and I/O data, while the runtime instructions from processes are often ignored. We present a novel approach on runtime instruction forensic analysis and have developed a forensic system which collects instruction flow and extracts digital evidence. The system is based on whole-system emulation technique and analysts are allowed to define analysis strategy to improve analysis efficiency and reduce overhead. This forensic approach and system are applicable to binary code analysis, information retrieval and malware forensics.

[1] Carsten Maartmann-Moe,et al. The persistence of memory: Forensic identification and extraction of cryptographic keys , 2009, Digit. Investig..

[2] Eoghan Casey,et al. Malware Forensics: Investigating and Analyzing Malicious Code , 2008 .

[3] Jonathon T. Giffin,et al. Automatic Reverse Engineering of Malware Emulators , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[4] Ralph Howard,et al. Data encryption standard , 1987 .

[5] Wenke Lee,et al. Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[6] Fabrice Bellard,et al. QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[7] Ian Welch,et al. Capture - A behavioral analysis tool for applications and documents , 2007 .

[8] William A. Arbaugh,et al. FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[9] Heng Yin. TEMU: Binary Code Analysis via Whole-System Layered Annotative Execution , 2010 .

[10] Lorenzo Martignoni,et al. Testing CPU emulators , 2009, ISSTA.