Forensic memory analysis: From stack and code to execution history

Forensics memory analysis has recently gained great attention in cyber forensics community. However, most of the proposals have focused on the extraction of important kernel data structures such as executive objects from the memory. In this paper, we propose a formal approach to analyze the stack memory of process threads to discover a partial execution history of the process. Our approach uses a process logic to model the extracted properties from the stack and then verify these properties against models generated from the program assembly code. The main focus of the paper is on Windows thread stack analysis though the same idea is applicable to other operating systems.

[1]  Peter Stephenson Modeling of Post-Incident Root Cause Analysis , 2003, Int. J. Digit. EVid..

[2]  Warren G. Kruse,et al.  Computer Forensics: Incident Response Essentials , 2001 .

[3]  Karl N. Levitt,et al.  Automated analysis for digital forensic science: semantic integrity checking , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[4]  Ahmed Patel,et al.  Formalising Event Time Bounding in Digital Investigations , 2005, Int. J. Digit. EVid..

[5]  Nick L. Petroni,et al.  Volatools : Integrating Volatile Memory Forensics into the Digital Investigation Process , 2007 .

[6]  Sven B. Schreiber Undocumented Windows 2000 Secrets: A Programmer's Cookbook , 2001 .

[7]  Greg Hoglund,et al.  Rootkits: Subverting the Windows Kernel , 2005 .

[8]  Somesh Jha,et al.  Model-based intrusion detection system design and evaluation , 2006 .

[9]  Cyrus Peikari,et al.  Security Warrior , 2004 .

[10]  C. Hosmer Time-lining computer evidence , 1998, 1998 IEEE Information Technology Conference, Information Environment for the Future (Cat. No.98EX228).

[11]  Mourad Debbabi,et al.  A new logic for electronic commerce protocols , 2003, Theor. Comput. Sci..

[12]  Dave Bailey,et al.  System Baselining - A Forensic Perspective , 2006 .

[13]  Ahmed Patel,et al.  Finite state machine approach to digital event reconstruction , 2004, Digit. Investig..

[14]  Jesse D. Kornblum Using every part of the buffalo in Windows memory analysis , 2007, Digit. Investig..

[15]  Andreas Schuster,et al.  Pool Allocations as an Information Source in Windows Memory Forensics , 2006, IMF.

[16]  Mourad Debbabi,et al.  A new logic for electronic commerce protocols , 2000, Theor. Comput. Sci..

[17]  William A. Arbaugh,et al.  FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[18]  Axel W. Krings,et al.  A Formalization of Digital Forensics , 2004, Int. J. Digit. EVid..