Yingxin Cheng,Xiao Fu,Xiaojiang Du,Bin Luo,Mohsen Guizani

DOI: https://doi.org/10.1016/j.ins.2016.07.019

IF: 8.1

2016-01-01

Information Sciences

Abstract:The results of memory forensics can not only be used as evidence in court but are also beneficial for analyzing vulnerability and improving security. Thus, memory forensics has been widely used in many fields, including cloud security. Traditional memory forensics, usually an after-the-fact method, is time-consuming and often loses important transient information. Thus, live methods, which investigate memory directly, are presented. However, most of them are kernel based and easy to detect or confuse. Although virtualization technology can overcome these shortages, it must be preinstalled and has high cost. To solve these problems, we propose a lightweight live memory forensic framework based on hardware virtualization. It can build a virtualization environment on-the-fly. The operating system will be migrated to the virtual machine without termination or modifications. Then, the forensic methods can acquire and analyze evidence at the hypervisor level. Two novel forensic methods are proposed to verify the effectiveness of the framework. They focus on acquiring accurate data and system behavior, respectively. The main ideas are guaranteeing data accuracy in multi-view extraction and analyzing memory behavior in a para-synchronous style. Experiments have proved that these methods are able to obtain reliable and integrated evidence at an acceptable cost.

Yong Gang Li,Chao Yuan Cui,Yun Wu,Bing Yu Sun

DOI: https://doi.org/10.12783/dtcse/iceiti2016/6143

2016-01-01

Abstract:Virtualization is increasing rapidly recent years. Virtual machines have become not only attack objects but also criminal tools for computer crimes. Memory forensics technology can collect the evidence of virtual machine crimes effectively. Traditional memory forensics tools are deployed into the host where attackers always try to hide or delete the data generated during attack process. As a result, they can be bypassed or cheated in virtual machines. Besides, to get the complete information traditional tools always expand the forensics scale leading to massive redundant information. For the sake of these problems, we propose a new method of virtual machine memory forensics based on event trigger mechanism named VMMF. The experiment results show that the new method can get the code section, data section, kernel stack content, dynamic-link library file, and execution path of the suspicious process in Linux. It just focuses on the suspicious process content reducing redundant information.

Igor Korkin,Ivan Nesterov

DOI: https://doi.org/10.48550/arXiv.1506.04129

2015-06-13

Abstract:Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system - Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools.

Cryptography and Security

陈琳,李之棠,高翠霞

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.11.015

2009-01-01

Computer Science

Abstract:With the development of intrusion and computer crime technologies,dynamic forensics is becoming more and more important.Dynamic forensics based on intrusion detection and honeypot technologies has great advantage in real-time performance,whereas these methods are defective in overcoming the difficulty of evidence and system reliability,and hard to seize the opportunity of investigation.A self-adaptive mechanwasm was proposed which used intrusion detection system as forensics trigger and shadow honeypot was used to verify the suspicious attack,observe and analyze the attack activities further more to gather key evidences.And then the finite state machine model of this mechanism was illuminated and key technologies such as shadow honeypot,state transition opportunity and evidence security storage method were described.The dynamic forensics system with this mechanism can tolerate intrusion in a certain degree and get the investigation process under control.Moreover,the amount of unnecessary evidences can be reduced obviously.

Xianming Zhong,Chengcheng Xiang,Miao Yu,Zhengwei Qi,Haibing Guan

DOI: https://doi.org/10.1007/s10766-013-0285-2

2015-01-01

International Journal of Parallel Programming

Abstract:Digital evidences hold great significance for governing cybercrime. Unfortunately, previous acquisition tools were troubled by either the shortage of suspending the target system's running or the security of the acquisition tools themselves, thus the correctness and accuracy of their obtained evidences cannot be guaranteed. In this paper, we propose VAIL, a novel virtualization based monitoring system for mini-intrusive live forensics, which employs hardware assisted virtualization technique to gather integrated information from the native computer system. Meanwhile, the execution of the target system will not be interrupted and VAIL keeps immune to attacks from the target system. We have implemented a proof-of-concept prototype that has been validated with a Windows guest system. The experimental results show that VAIL can obtain comprehensive digital evidences from the target system as designed, including the CPU state, the physical memory content, and the I/O activities. And on average, VAIL only introduces 4.21 % performance overhead to the target system, which proves that VAIL is practical in real commercial environments.

Chien-Ming Chen,Mu-En Wu,Bing-Zhe He,Xinying Zheng,Chieh Hsing,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-319-06320-1_10

2014-01-01

Abstract:It is easy to discover if there are hooks in the System Service Dispatch Table (SSDT). However, it is difficult to tell whether theses hooks are malicious or not after finding out the hooks in the SSDT. In this paper, we propose a scheme that evaluates the hooks by comparing the returned results before hooking and after hooking. If a malicious hook which hides itself by the way of modifying the parameters passed to the Native API, we can easily detect the difference. Furthermore, we use a runtime detour patching technique so that it will not perturb the normal operation of user-mode programs. Finally, we focus on the existing approaches of rootkits detection in both user-mode and kernel-mode. Our method effectively monitors the behavior of hooks and brings an accurate view point for users to examine their computers.

Chao Su,Xuhua Ding,Qingkai Zeng

DOI: https://doi.org/10.1109/dsn48987.2021.00045

2021-01-01

Abstract:Out-of-VM introspection is an imperative part of security analysis. The legacy methods either modify the system, introducing enormous overhead, or rely heavily on hardware features, which are neither available nor practical in most cloud environments. In this paper, we propose a novel analysis method, named as Catcher, that utilizes CPU cache to perform out-of-VM introspection. Catcher does not make any modifications to the target program and its running environment, nor demands special hardware support. Implemented upon Linux KVM, it natively introspects the target's virtual memory. More importantly, it uses the cache-based side channel to infer the target control flow. To deal with the inherent limitations of the side channel, we propose several heuristics to improve the accuracy and stability of Catcher. Our experiments against various malware armored with packing techniques show that Catcher can recover the control flow in real time with around 67% to 97% accuracy scores. Catcher incurs a negligible overhead to the system and can be launched at anytime to monitor an ongoing attack inside a virtual machine.

Irfan Ahmed,Golden G. Richard,Aleksandar Zoranic,Vassil Roussev

DOI: https://doi.org/10.1007/978-3-319-27659-5_1

2015-01-01

Abstract:With the introduction of kernel integrity checking mechanisms in modern operating systems, such as PatchGuard on Windows OS, malware developers can no longer easily install stealthy hooks in kernel code and well-known data structures. Instead, they must target other areas of the kernel, such as the heap, which stores a large number of function pointers that are potentially prone to malicious exploits. These areas of kernel memory are currently not monitored by kernel integrity checkers.We present a novel approach to monitoring the integrity of Windows kernel pools, based entirely on virtual machine introspection, called HookLocator. Unlike prior efforts to maintain kernel integrity, our implementation runs entirely outside the monitored system, which makes it inherently more difficult to detect and subvert. Our system also scales easily to protect multiple virtualized targets. Unlike other kernel integrity checking mechanisms, HookLocator does not require the source code of the operating system, complex reverse engineering efforts, or the debugging map files. Our empirical analysis of kernel heap behavior shows that integrity monitoring needs to focus only on a small fraction of it to be effective; this allows our prototype to provide effective real-time monitoring of the protected system.

Lin Chen,Zhitang Li,Cuixia Gao,Yingshu Liu

DOI: https://doi.org/10.1109/CIT.2009.108

2009-01-01

Abstract:As an important part of computer forensics, network forensics particularly places emphasis on dynamic network information collection and proactive defense. Most forensics systems based on intrusion detection or honeypot rarely emphasize the availability of actual servers. In addition, few of them discussed the occasion of dynamic forensics particularly. The work presented in this paper is based on an idea to assist dynamic forensics with intrusion tolerance and deception technology to enhance the availability of server system and gather more useful evidences on a proper occasion. A mechanism of dynamic forensics based on intrusion forensics is proposed and is modeled with finite state machine. The workflow is described. A semi Markov process based on the embedded Markov chain of the states transition model is built and described. Finally, the forensics capability and server availability are analysis. According to the numerical analysis result, the security performance and forensics capability of the forensics system are enhanced to a certain degree.

Lin Chen,Zhitang Li,Cuixia Gao,Lan Liu

DOI: https://doi.org/10.1109/ispa.2009.66

2009-01-01

Abstract:With the development of intrusion technologies, dynamic forensics is becoming more and more important. Dynamic forensics using IDS or honeypot are all based on a common hypothesis that the system is still in a reliable working situation and collected evidences are believable even if the system is suffered from intrusion. In fact, the system has already transferred into an insecurity and unreliable state, it is uncertain that whether the intrusion detectors and investigators could run as normal and whether the obtained evidences are credible. Although intrusion tolerance has been applied in many areas of security for years, few researches are referred to network forensics. The work presented in this paper is based on an idea to integrate Intrusion tolerance into dynamic forensics to make the system under control, ensure the reliability of evidences and aim to gather more useful evidences for investigation. A mechanism of dynamic forensics based on intrusion forensics is proposed. This paper introduces the architecture of the model which uses IDS as tolerance and forensics trigger and honeypot as shadow server, the finite state machine model is described to specify the mechanism, and then two cases are analyzed to illuminate the mechanism.

Yuhang Gao,Tianjie Cao

2010-01-01

Abstract:Physical memory is a useful information source in a forensic examination, but the research on memory forensics is still in the early stage. Once the processes are located, computer forensic personnel can acquire the opened files, the network connections via further processing. This paper proposed methods of searching for process descriptors in Linux dump file. Our experiments shows that our methods are able to locate hidden, terminated and even processes before rebooted under some circumstances. An analysis of performance between different methods is made and results show the brute force method find the most while method based on slub allocator is highly efficient. Besides, our experiments shows a process survives from minutes to hours after it is terminated in Linux 2.6.23 and slub allocation obviously has an impact on memory forensics. These methods proposed to searching for processes not only can apply to Linux memory forensics in locating hidden, exiting processes, but also can be of interest to the malware analyzing. Keywords-memory dump file; Linux memory analysis; digital evidences; file extraction

Dongyang Zhan,Huhua Li,Lin Ye,Hongli Zhang,Binxing Fang,Xiaojiang Du

DOI: https://doi.org/10.1109/icc.2019.8761433

2019-05-01

Abstract:Monitoring kernel object modification of virtual machine is widely used by virtual-machine-introspection-based security monitors to protect virtual machines in cloud computing, such as monitoring dentry objects to intercept file operations, etc. However, most of the current virtual machine monitors, such as KVM and Xen, only support page-level monitoring, because the Intel EPT technology can only monitor page privilege. If the out-of-virtual-machine security tools want to monitor some kernel objects, they need to intercept the operation of the whole memory page. Since there are some other objects stored in the monitored pages, the modification of them will also trigger the monitor. Therefore, page-level memory monitor usually introduces overhead to related kernel services of the target virtual machine. In this paper, we propose a low-overhead kernel object monitoring approach to reduce the overhead caused by page-level monitor. The core idea is to migrate the target kernel objects to a protected memory area and then to monitor the corresponding new memory pages. Since the new pages only contain the kernel objects to be monitored, other kernel objects will not trigger our monitor. Therefore, our monitor will not introduce runtime overhead to the related kernel service. The experimental results show that our system can monitor target kernel objects effectively only with very low overhead.

Yongqiang Zhang,Hai Bi

DOI: https://doi.org/10.4028/www.scientific.net/amr.159.424

2010-01-01

Advanced Materials Research

Abstract:HOOK and injection are advanced programming techniques. The common windows injection and HOOK techniques are introduced and analyzed in this paper. (1) By using hooks; (2) By using registration table;（3）By Trojan Horse DLL; (4) By PE import table; (5) By using remote thread. Proposed a method of non-DLL and gives a machine code-level implementations of the technology. Finally the paper lists the key technology and gives the main code.

X. Fu,X. Du,B. Luo

DOI: https://doi.org/10.1002/sec.1337

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Memory forensics is an important technique for protecting network security and fighting against computer crimes. It has developed greatly in the past decade, because memory can provide more reliable information that other evidence sources do not contain. However, nowadays, when investigating network criminal cases, the Gigabyte GB and even Terabyte TB level memory and many such dumps have made memory analysis a difficult task. And investigators usually have to deal with complex operating system OS data structures, which they have little knowledge of. So how to analyze memory evidence automatically so as to find the hidden criminal behavior and reconstruct the scenario in an understandable way has become an important problem. This paper presents an automatic memory analysis methodology based on data correlation. Through analyzing key OS data structures and utilizing a clustering algorithm, this methodology can discover the relationships among processes, files, users, Dynamic-link library DLLs, and network connections. By describing these relationships as correlation graphs, our methods can reorganize these independent memory evidences and disclose their meanings in a high semantic level. Experiments have proved that these correlation graphs can help investigators find hidden criminal behavior and reconstruct the criminal scenarios. And as we know, now, little work is in this field. Copyright © 2015 John Wiley & Sons, Ltd.

guofeng wang,chuanyi liu,jie lin

DOI: https://doi.org/10.1007/978-3-662-43908-1_4

2014-01-01

Abstract:Modern malware attacks are designed intricately, transport data encrypted, so monitoring network traffic can't solve such attacks completely. Therefore, network monitoring and analysis need to be combined with system behavior monitoring and memory analysis, and the latter is more important. In this article we propose a hardware-based virtualization prototype system, combined with memory analysis tools to monitor and counterwork malicious attacks actively. The system is based on Xen virtualization platform, which monitoring virtual machine behavior by capturing specific events. The events are triggered by some specific behaviors associated with malicious software monitoring, such as executing privileged instruction, system calls, memory writing, etc. When necessary, we can dump the memory of the virtual machine, use memory analysis tools for detailed analysis, so as to achieve the purpose of monitoring and counterworking.

Qilong Zhang,Yun Wu,Chaoyuan Cui

DOI: https://doi.org/10.1145/3199478.3199497

2018-01-01

Abstract:In most profiles, while memory forensics analysis has been used to detect and defend attacks successfully, there are still many attacks that we can't discover in time. Therefore, the live tracking of process memory has been an important research subject for a long time. For this reason, we propose a new method of tracking process memory called MRB-PTE (Marking Reserved Bit of Page Table Entry). It sets one of reserved bits of target process memory page table PTE to capture memory behavior of the target process, which enables us to track target process memory, and it's featured with real time, lightweight overhead and flexibility. The experiment shows that, the MRB-PTE can not only dynamically reflect the memory behavior of the target process, but also the performance overhead to target process is very small. When the amount of process memory page is 10, the performance overhead is the smallest, only 7.9% with consuming less system resources. Traditional memory forensics tools with MRB-PTE could improve the sensitivity of detecting attacks.

RUAN Wen-bo,ZHANG Chang-he,LIU Sheng-li

DOI: https://doi.org/10.3969/j.issn.1671-0673.2007.02.024

2007-01-01

Abstract:RootKit is a set of powerful tools used by hackers to gain the access to the computers and make itself undetectable.This paper introduces a technique named kernel object inline hooking,which extends existing technique of code redirection,hides tracks through inline hooking of kernel object's dispatch routines.Existing detecting methodology of rootkit is difficult to detect this kind of new rootkit.So this paper illustrates a branch instruction analysis based dynamic detecting methodology of rootkit.This methodology could find running rootkit programs dynamically in the system,and point out the loading images of these rootkits.

Zhengwei Qi,Chengcheng Xiang,Ruhui Ma,Jian Li,Haibing Guan,David S. L. Wei

DOI: https://doi.org/10.1109/tcc.2016.2535295

IF: 5.697

2017-01-01

IEEE Transactions on Cloud Computing

Abstract:Live forensics is an important technique in cloud security but is facing the challenge of reliability. Most of the live forensic tools in cloud computing run either in the target Operating System (OS), or as an extra hypervisor. The tools in the target OS are not reliable, since they might be deceived by the compromised OS. Furthermore, traditional general purpose hypervisors are vulnerable due to their huge code size. However, some modules of a general purpose hypervisor, such as device drivers, are indeed unnecessary for forensics. In this paper, we propose a special purpose hypervisor, called ForenVisor, which is dedicated to reliable live forensics. The reliability is improved in three ways: reducing Trusted Computing Base (TCB) size by leveraging a lightweight architecture, collecting evidence directly from the hardware, and protecting the evidence and other sensitive files with Filesafe module. We have implemented a proof-of-concept prototype on the Windows platform, which can acquire the process data, raw memory, and I/O data, such as keystrokes and network traffic. Furthermore, we evaluate ForenVisor in terms of code size, functionality, and performance. The experiment results show that ForenVisor has a relatively small TCB size of about 13 KLOC, and only causes less than 10 percent performance reduction to the target system. In particular, our experiments verify that ForenVisor can guarantee that the protected files remain untampered, even when the guest OS is compromised by viruses, such as ‘ILOVEYOU’ and Worm.WhBoy. Also, our system can be loaded as a hypervisor without needing to pause the target OS. This allows it to not only avoid destructing but also to gather the live evidence of the target OS. We also posted the source code of ForenVisor on Github.

Yiheng Duan,Xiao Fu,Bin Luo,Ziqi Wang,Jin Shi,Xiaojiang (James) Du

DOI: https://doi.org/10.1109/icc.2015.7249229

2015-01-01

Abstract:Current memory forensic methods mainly focus on evidence collection and data recovery. A little work is about how to automatically identify malwares from many unknown processes and analyze their behaviors in high semantic level so as to collect related evidences. In fact, in real cases, investigators are often faced with large number of processes that they have no knowledge of. Although current malware detection tools could provide some help, they usually can't illustrate the purposes, abilities and behavior details of malwares and are thus often not fit for the forensic requirements. In this paper, we present a framework named Detective to cope with these issues. Given a set of unknown processes, Detective can classify benign and malware processes automatically. This is implemented by HNB classifying algorithm and a Dynamic-Link Libraries-based model. Detective could then explain malware behaviors in high semantic level through clustering and frequent item sets mining techniques. Besides, Detective sheds light on evidence collection by the information obtained from previous steps. Detective is applicable for both online and offline forensic scenarios. Experiments on real-world malware set have proved that the accuracy of Detective is above 90% and the time cost is only several seconds.

QIAN Qin,DONG Bu-yun,TANG Zhe,FU Xiao,MAO Bing

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.08.058

2014-01-01

Abstract:Traditional methods of memory acquisition focus on the persistent data of disk or hard disk in the attacked computers. However,as the growing use of encryption routines or rapidly increasing storage capabilities of hard drives,it is very difficult to get data in time with the original method that is meant for persistent data. So in the field of computer forensics,people start to change the data source and focus on the volatile information in RAM. This paper specifically describes the prevailing methods of memory acquisition and analysis and the process of memory forensics. It explains the characteristics of each method and gives the advantage and disadvantage of them. In the end,it concludes all these methods and gives some suggestions of the future of computer forensics.