Pool tag quick scanning for windows memory analysis

Sylve, Joe T.; Marziale, Vico; Richard, Golden G.

doi:10.1016/j.diin.2016.01.005

Cited by 9 publications

(2 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To acquire memory [15], Hargreaves and Chivers proposed a method for recovering the decryption keys from the memory using linear scan [28]. Sylve et al proposed a novel technique for locating kernel object allocations with quick pool tag scanning [17], which has a good performance in the large memory space. Taubmann et al presented TLSkex which can extract the master key of a TLS connection at runtime from the virtual machine's memory.…”

Section: Memory Forensicsmentioning

confidence: 99%

“…Malware such as Qadars [1] and Lurk [2] can steal the banking information from the memory. In the field of memory forensics, much research has been done on memory data analysis and thus produced many practical results [15][16][17][18], such as the open source Volatility Framework [19]. On the other hand, some researches aim at process memory data protection [20,21] but failed to carry 2 Security and Communication Networks out large-scale deployment.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

PMCAP: A Threat Model of Process Memory Data on the Windows Operating System

Pan

Zhuang

2017

Security and Communication Networks

View full text Add to dashboard Cite

Research on endpoint security involves both traditional PC platform and prevalent mobile platform, among which the analysis of software vulnerability and malware is one of the important contents. For researchers, it is necessary to carry out nonstop exploration of the insecure factors in order to better protect the endpoints. Driven by this motivation, we propose a new threat model named Process Memory Captor (PMCAP) on the Windows operating system which threatens the live process volatile memory data. Compared with other threats, PMCAP aims at dynamic data in the process memory and uses a noninvasive approach for data extraction. In this paper we describe and analyze the model and then give a detailed implementation taking four popular web browsers IE, Edge, Chrome, and Firefox as examples. Finally, the model is verified through real experiments and case studies. Compared with existing technologies, PMCAP can extract valuable data at a lower cost; some techniques in the model are also suitable for memory forensics and malware analysis.

show abstract

Section: Memory Forensicsmentioning

confidence: 99%