Memory forensics: The path forward

Traditionally, digital forensics focused on artifacts located on the storage devices of computer systems, mobile phones, digital cameras, and other electronic devices. In the past decade, however, researchers have created a number of powerful memory forensics tools that expand the scope of digital forensics to include the examination of volatile memory as well. While memory forensic techniques have evolved from simple string searches to deep, structured analysis of application and kernel data structures for a number of platforms and operating systems, much research remains to be done. This paper surveys the state-of-the-art in memory forensics, provide critical analysis of current-generation techniques, describe important changes in operating systems design that impact memory forensics, and sketches important areas for further research.

[1]  Eoghan Casey,et al.  Extracting Windows command line details from physical memory , 2010 .

[2]  Golden G. Richard,et al.  In lieu of swap: Analyzing compressed RAM in Mac OS X and Linux , 2014, Digit. Investig..

[3]  Aisha I. Ali-Gombe Volatile Memory Message Carving: A "per process basis" Approach , 2012 .

[4]  Julian B. Grizzard,et al.  Locating ×86 paging structures in memory images , 2010, Digit. Investig..

[5]  Michael Cohen,et al.  Robust Linux memory acquisition with minimal target impact , 2014, Digit. Investig..

[6]  Philipp Wachter,et al.  Practicability study of android volatile memory forensic research , 2015, 2015 IEEE International Workshop on Information Forensics and Security (WIFS).

[7]  Aaron Walters,et al.  The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory , 2014 .

[8]  Golden G. Richard,et al.  Modern windows hibernation file analysis , 2017, Digit. Investig..

[9]  Bradley L. Schatz,et al.  BodySnatcher: Towards reliable volatile memory acquisition by software , 2007, Digit. Investig..

[10]  Golden G. Richard,et al.  Acquisition and analysis of volatile memory from android devices , 2012, Digit. Investig..

[11]  Golden G. Richard,et al.  Detecting objective-C malware through memory forensics , 2016 .

[12]  Mourad Debbabi,et al.  Extraction of forensically sensitive information from windows physical memory , 2009, Digit. Investig..

[13]  Heng Yin,et al.  Renovo: a hidden code extractor for packed executables , 2007, WORM '07.

[14]  Brendan Dolan-Gavitt,et al.  Forensic analysis of the Windows registry in memory , 2008, Digit. Investig..

[15]  Wenke Lee,et al.  PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[16]  William A. Arbaugh,et al.  FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[17]  Brendan Dolan-Gavitt,et al.  The VAD tree: A process-eye view of physical memory , 2007, Digit. Investig..