Detection of Metasploit Attacks Using RAM Forensic on Proprietary Operating Systems

Prakoso, Danar Cahyo; Riadi, Imam; Prayudi, Yudi

doi:10.22219/kinetik.v5i2.1037

Cited by 4 publications

(5 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Arfeen et al [6] developed a framework for memory acquisition periodically to analyze process behavior while it is running and reside in memory to help ransomware detection. Prakoso et al [7] examined how Metasploit attacks on Windows 10 can be analyzed using live forensics techniques on the volatile memory. The study used three well-known RAM acquisition tools, namely: FTK Imager, Dumpit, and Magnet RAM Capture.…”

Section: Related Workmentioning

confidence: 99%

“…Similarly, [14] also examined how the combination of Belkasoft RAM Capturer, FTK Imager, and Winhex can be utilized to obtain data for the Line app in Windows 8.1. Prakoso et al [7] identified that FTK Imager, Dumpit, and Magnet RAM Capture, have the same performance in acquiring the targeted artifact of a Metasploit attack in Windows 10 based on their acquisition results comparison.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

The Influence of Virtual Secure Mode (VSM) on Memory Acquisition

Cahyani¹,

Jadied²,

Rahman³

et al. 2022

IJACSA

View full text Add to dashboard Cite

Recently, acquiring the Random Access Memory (RAM) full memory and access data is gaining significant interest in digital forensics. However, a security feature on the Windows operating system -Virtual Secure Mode (VSM) -presents challenges to the acquisition process by causing a system crash known as a Blue Screen of Death (BSoD). The crash is likely to occur when memory acquisition tools are being used. Subsequently, it disrupts the goal of memory acquisition since the system must be restarted, and the RAM content is no longer available. This study analyzes the implications of VSM on memory acquisition tools as well as examines to what extent its impact on the acquisition process. Two memory acquisition tools, namely FTK Imager and Belkasoft RAM Capturer, were used to conduct the acquisition process. Static and dynamic code analyses were performed by using reverse engineering techniques that are disassembler and debugger. The results were compared based on the percentage of unreadable memory between active and inactive VSM. Static analysis showed that there is no difference between all applications' functions for both active and inactive VSM. Further Bugcheck analysis of the MEMORY.DMP is pointed to the ad_driver.sys module in FTK Imager that causes the system to crash. The percentage of unreadable memory while running on active VSM and inactive VSM for Belkasoft is about 0.6% and 0.0021%, respectively. These results are significant as a reference to digital investigators as consistent with the importance of RAM dump in live forensics.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

The Influence of Virtual Secure Mode (VSM) on Memory Acquisition

Cahyani¹,

Jadied²,

Rahman³

et al. 2022

IJACSA

View full text Add to dashboard Cite

show abstract

“…Much of the data is confidential. Therefore, safety is likewise essential [18,19]. This allows you to properly protect your sensitive data and protect it from the various negative effects of cyberattacks.…”

Section: Introductionmentioning

confidence: 99%

Analysis of Anubis Trojan Attack on Android Banking Application Using Mobile Security Labware

Riadi¹,

Sunardi²,

Aprilliansyah³

2023

IJSSE

View full text Add to dashboard Cite

Mobile banking transactions, especially on the Android platform, are now a method often used to carry out payment and shopping activities in e-commerce. Security risks in mobile banking and online banking on the Android platform have security and privacy issues that must be maintained. Kaspersky conducted research on banking Trojans and found 97,661 variants of banking Trojans and 17,372 new variants. Based on this, this investigation was conducted by using mobile security labware to simulate and analyze the Anubis Trojan malware on Android devices. All activities are caused by the Anubis Trojan, which forces users to activate an access service that can read all users' activities and run them in the background. This research can help investigate the types of trojan malware on the Android operating system.

show abstract

“…A lot of information is confidential. Therefore, security is also essential [22] [23]. As a result, sensitive data can be properly maintained and protected from various bad effects of cyber attacks.…”

Section: Introductionmentioning

confidence: 99%

Mobile Device Security Evaluation using Reverse TCP Method

Riadi¹,

Aprilliansyah

Sunardi³

2022

KINETIK

View full text Add to dashboard Cite

Security evaluation on Android devices is critical so that users of the operating system are protected from malware attacks such as remote access trojans that can steal users' credential data. Remote access trojan (RAT) attacks can be anticipated by detecting vulnerabilities in applications and systems. This study simulates a remote access trojan attack by exploiting it until the Attacker gains full access to the victim's device. The episode is carried out with several steps: creating a payload, installing applications to the victim's device, connecting listeners, and performing exploits to retrieve important information on the victim's device. Test material using Android 12, problems occurred when trying to install the application because a harmful warning will appear from Play Protect due to not using the latest version of privacy protection which causes the application to be indicated as malware and the like. On Android 11, the application injected with the backdoor was successfully installed on the device and successfully accessed by the attacker. Attackers also get vital information, including system information, contacts, call logs, messages, and full access to the victim's device system directory. Based on this research, it is expected that Android device users constantly update the Android version on the device they are using.

show abstract

Detection of Metasploit Attacks Using RAM Forensic on Proprietary Operating Systems

Cited by 4 publications

References 17 publications

The Influence of Virtual Secure Mode (VSM) on Memory Acquisition

The Influence of Virtual Secure Mode (VSM) on Memory Acquisition

Analysis of Anubis Trojan Attack on Android Banking Application Using Mobile Security Labware

Mobile Device Security Evaluation using Reverse TCP Method

Contact Info

Product

Resources

About