Anti-forensic resilient memory acquisition

Stüttgen, Johannes; Cohen, Michael

doi:10.1016/j.diin.2013.06.012

Cited by 62 publications

(41 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This fact is quite surprising, considering that recent works have indicated quality deficiencies in popular imaging solutions under certain conditions that may severely impede or even prevent thorough artifact examination at a later time (V€ omel and Stüttgen, 2013;Stüttgen and Cohen, 2013).…”

Section: Introductionmentioning

confidence: 87%

“…First, more extensive studies concerning the quality of imaging applications were presented by V€ omel and and Stüttgen and Cohen (2013). We will further elaborate upon these works and assess the performance of common imaging products, specifically when sophisticated malware species are present.…”

Section: Related Workmentioning

confidence: 99%

“…One distinctive disadvantage of software-based imagers is that they may easily fall prey to manipulation (Stüttgen and Cohen, 2013). Moreover, because they run in parallel to other system processes, the state of memory is in a constant state of flux, leading to a drastically reduced level of atomicity of the generated snapshot (V€ omel and Freiling, 2012).…”

Section: Memory Acquisition Processmentioning

confidence: 99%

See 2 more Smart Citations

Acquisition and analysis of compromised firmware using memory forensics

Stüttgen

Vömel

Denzel

2015

Digital Investigation

Self Cite

View full text Add to dashboard Cite

a b s t r a c tTo a great degree, research in memory forensics concentrates on the acquisition and analysis of kernel-and user-space software from physical memory to date. With the system firmware, a much more privileged software layer exists in modern computer systems though that has recently become the target in sophisticated computer attacks more often. Compromise strategies used by high profile rootkits are almost completely invisible to standard forensic procedures and can only be detected with special soft-or hardware mechanisms. In this paper, we illustrate a variety of firmware manipulation techniques and propose methods for identifying firmware-level threats in the course of memory forensic investigations. We have implemented our insights into well-known open-source memory forensic tools and have evaluated our approach within both physical and virtual environments.

show abstract

Section: Introductionmentioning

confidence: 87%

Section: Related Workmentioning

confidence: 99%

Section: Memory Acquisition Processmentioning

confidence: 99%

See 1 more Smart Citation

Acquisition and analysis of compromised firmware using memory forensics

Stüttgen

Vömel

Denzel

2015

Digital Investigation

Self Cite

View full text Add to dashboard Cite

show abstract

“…Subsequently, analysts use plug-and-play devices to duplicate the computer disk data, and then conduct a post hoc analysis of image data. However, with the continuous development of computer hardware, large-capacity memory is widely used; moreover, a variety of encryption and anti-forensic technologies have emerged [9,12], which result in a significant loss of valuable information in the traditional forensics process. Volatile data in a computer memory can contain critical information about a crime, such as the password used to encrypt information, system states in the criminal process, traces of use of anti-forensics tools and related to system-level malicious software or backdoors that are easily overlooked in the analysis of survey data from a hard disk, and other related information.…”

Section: Introductionmentioning

confidence: 99%

Computer forensic analysis model for the reconstruction of chain of evidence of volatile memory data

Wang

et al. 2015

Multimed Tools Appl

View full text Add to dashboard Cite

Digital forensic data from volatile system memory possesses the following distinctive features: volatility, transience, phased stability, complexity, relevance of collected data, and phased behavior predictability. We present a computer forensic analysis model (CERM) for the reconstruction of a chain of evidence of volatile memory data. CERM frees analysts from being confined to the traditional analysis approach of digital forensic data that requires single evidence-oriented analysis. In CERM, they can focus on higher abstract levels involving the relationships of independent pieces of evidence and analyze patterns to construct a chain of evidence from the perspective of Evidence Law. In addition to CERM, we have designed a correlation analysis algorithm based on time series. Experimental tests have been conducted to verify the established model and designed algorithm. The experimental result shows that CERM is feasible and efficient, thus providing a new analysis perspective for digital forensic data from volatile system memory.

show abstract

“…(e.g., [37,51,59,211,243]), or through VMI. In Section 5.4, we evaluate our approach using both LO-PHI and MalT techniques to gather memory snapshots.…”

Section: Memory Snapshotsmentioning

confidence: 99%

Transparent System Introspection in Support of Analyzing Stealthy Malware

Leach

View full text Add to dashboard Cite

The proliferation of malware has increased dramatically and seriously degraded the privacy of users and the integrity of hosts. Millions of unique malware samples appear every year, which has driven the development of a vast array of analysis tools. Malware analysis is often performed with the assistance of virtualization or emulation for rapid deployment.Malware samples are run in an instrumented virtual machine or analysis tool, and existing introspection techniques help an analyst determine its behavior. Unfortunately, a growing body of malware samples has begun employing anti-debugging, anti-virtualization, and antiemulation techniques to escape or otherwise subvert these analysis mechanisms.These anti-analysis techniques often require measuring differences between the analysis environment and the native environment (e.g., executing more slowly in a debugger). We call these measurable differences artifacts. Malware samples that use artifacts to exhibit stealthy behavior have increased the effort required to analyze and understand each stealthy sample. Additionally, traditional automated techniques fail against such samples because they produce measurable artifacts. We desire a transparent approach that produces no artifacts, thereby admitting the analysis of stealthy malware. We refer to this challenge as the debugging transparency problem. Solving this problem is thus concerned with reducing artifacts or permitting reliable analysis in the presence of artifacts.We present a system consisting of two approaches to address the debugging transparency problem and then demonstrate how these components can apply to currently available computer systems. We present two techniques capable of transparently acquiring snapshots of memory and disk activity that can be used to analyze stealthy malware. First, we discuss a novel use of a custom Field-Programmable Gate Array that provides snapshots of memory and disk activity with no measurable timing artifacts. Second, we present a novel use of System Management Mode on x86 platforms that produces no functional artifacts at the expense of producing timing artifacts. Finally, we present an approach to evaluating the i tradeoff space that exists between analysis transparency and the fidelity of introspection data provided by such an analysis system. Together, these approaches form a cohesive solution to the debugging transparency problem that admits analyzing stealthy malware.ii DedicationThe graduate school experience has been a long endurance test. There are several people to whom I owe a tremendous amount of gratitude.

show abstract

Anti-forensic resilient memory acquisition

Cited by 62 publications

References 7 publications

Acquisition and analysis of compromised firmware using memory forensics

Acquisition and analysis of compromised firmware using memory forensics

Computer forensic analysis model for the reconstruction of chain of evidence of volatile memory data

Transparent System Introspection in Support of Analyzing Stealthy Malware

Contact Info

Product

Resources

About