SHANG Shi-ze,KONG Xiang-wei,YOU Xin-gang

DOI: https://doi.org/10.3969/j.issn.1671-1122.2015.04.011

2015-01-01

Abstract:The examination of forged and altered document is an important part in judicial expertise. The traditional examination methods need professional testers and devices, the disadvantages include high cost, long testing time, damage on the documents, etc. In recent years, the digital passive lossless forensics on forged and altered document has been developed which only uses scanner and computer. In this paper, we first introduce the life-cycle of document and its forging and altering methods. Then, we summarize the passive lossless forensics on forged and altered document, and describe the technologies on device identiifcation, copy paper identiifcation and authenticity detection, respectively. We give a detailed description on the characteristics introduced by devices and altering methods, and their forensics methods. Finally, we describe the questions and challenges on digital passive lossless forensics on documents.

X. Fu,X. Du,B. Luo

DOI: https://doi.org/10.1002/sec.1337

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Memory forensics is an important technique for protecting network security and fighting against computer crimes. It has developed greatly in the past decade, because memory can provide more reliable information that other evidence sources do not contain. However, nowadays, when investigating network criminal cases, the Gigabyte GB and even Terabyte TB level memory and many such dumps have made memory analysis a difficult task. And investigators usually have to deal with complex operating system OS data structures, which they have little knowledge of. So how to analyze memory evidence automatically so as to find the hidden criminal behavior and reconstruct the scenario in an understandable way has become an important problem. This paper presents an automatic memory analysis methodology based on data correlation. Through analyzing key OS data structures and utilizing a clustering algorithm, this methodology can discover the relationships among processes, files, users, Dynamic-link library DLLs, and network connections. By describing these relationships as correlation graphs, our methods can reorganize these independent memory evidences and disclose their meanings in a high semantic level. Experiments have proved that these correlation graphs can help investigators find hidden criminal behavior and reconstruct the criminal scenarios. And as we know, now, little work is in this field. Copyright © 2015 John Wiley & Sons, Ltd.

Arash Habibi Lashkari,Ali A. Ghorbani,Mahdi Daghmehchi Firoozjaei

DOI: https://doi.org/10.1080/23742917.2022.2100036

2022-07-28

Journal of Cyber Security Technology

Abstract:As part of the incident response process, the memory forensics tools extract forensic artifacts and display them. Many memory forensics analysis tools are being developed to address the challenges of modern cybercrimes. Investigations are successful when they have an accurate analysis provided by a memory forensics tool that consumes resources reasonably. This paper presents a comparative analysis of three dominant memory forensics tools: Volatility, Autopsy, and Redline. We consider three malware behaviour scenarios and evaluate the forensics capabilities of these tools in each. We also experimentally measure the CPU and memory consumption of each for memory analysis in other operational states. We find that Volatility provides the most accurate memory analysis. Our measurements show that Redline consumes more CPU resources, and Autopsy needs more memory resources to analyze a memory image file. The results of our investigation will hopefully lead to tool improvement and more informed choices by users.

Yingxin Cheng,Xiao Fu,Xiaojiang Du,Bin Luo,Mohsen Guizani

DOI: https://doi.org/10.1016/j.ins.2016.07.019

IF: 8.1

2016-01-01

Information Sciences

Abstract:The results of memory forensics can not only be used as evidence in court but are also beneficial for analyzing vulnerability and improving security. Thus, memory forensics has been widely used in many fields, including cloud security. Traditional memory forensics, usually an after-the-fact method, is time-consuming and often loses important transient information. Thus, live methods, which investigate memory directly, are presented. However, most of them are kernel based and easy to detect or confuse. Although virtualization technology can overcome these shortages, it must be preinstalled and has high cost. To solve these problems, we propose a lightweight live memory forensic framework based on hardware virtualization. It can build a virtualization environment on-the-fly. The operating system will be migrated to the virtual machine without termination or modifications. Then, the forensic methods can acquire and analyze evidence at the hypervisor level. Two novel forensic methods are proposed to verify the effectiveness of the framework. They focus on acquiring accurate data and system behavior, respectively. The main ideas are guaranteeing data accuracy in multi-view extraction and analyzing memory behavior in a para-synchronous style. Experiments have proved that these methods are able to obtain reliable and integrated evidence at an acceptable cost.

Xiao Fu,Xiaojiang Du,Bin Luo,Jin Shi,Zhitao Guan,Yuhua Wang

DOI: https://doi.org/10.1109/infcomw.2015.7179370

2015-01-01

Abstract:Nowadays in order to process and store many kinds of multimedia data, the storage capability of memory has grown greatly. Moreover the widespread use of mobile devices and cloud computing has made criminal investigators often face a lot of memory dumps. They have to deal with a large quantity of memory data and complex OS data structures which they have little knowledge of. How to analyze memory evidence automatically in order to find hidden criminal behavior and reconstruct the criminal scenario in an understandable way has become an important problem. Current memory analysis methods usually aim at recovering certain data structures. The illegal behavior identification and the event reconstruction are still completed manually by investigators. This paper presents a novel method to correlate processes for automatic memory evidence analysis. Through analyzing key OS data structures and utilizing a clustering algorithm, it can discover the relationships among processes. And by describing these relationships as correlation graphs, our method can display evidence in a high semantic level. Some experiments have proved that these correlation graphs can help investigators find hidden criminal behavior and reconstruct the criminal scenarios.

Hannah Nyholm,Kristine Monteith,Seth Lyles,Micaela Gallegos,Mark DeSantis,John Donaldson,Claire Taylor

DOI: https://doi.org/10.3390/jcp2030028

2022-07-20

Journal of Cybersecurity and Privacy

Abstract:The collection and analysis of volatile memory is a vibrant area of research in the cybersecurity community. The ever-evolving and growing threat landscape is trending towards fileless malware, which avoids traditional detection but can be found by examining a system’s random access memory (RAM). Additionally, volatile memory analysis offers great insight into other malicious vectors. It contains fragments of encrypted files’ contents, as well as lists of running processes, imported modules, and network connections, all of which are difficult or impossible to extract from the file system. For these compelling reasons, recent research efforts have focused on the collection of memory snapshots and methods to analyze them for the presence of malware. However, to the best of our knowledge, no current reviews or surveys exist that systematize the research on both memory acquisition and analysis. We fill that gap with this novel survey by exploring the state-of-the-art tools and techniques for volatile memory acquisition and analysis for malware identification. For memory acquisition methods, we explore the trade-offs many techniques make between snapshot quality, performance overhead, and security. For memory analysis, we examined the traditional forensic methods used, including signature-based methods, dynamic methods performed in a sandbox environment, as well as machine learning-based approaches. We summarize the currently available tools, and suggest areas for more research.

computer science, information systems, interdisciplinary applications, software engineering

Dr. Oghene Augustine Onome,

DOI: https://doi.org/10.35940/ijese.g2552.0611723

2023-06-30

International Journal of Emerging Science and Engineering

Abstract:The field of computer forensics emerged in response to the substantial increase in computer-related crimes occurring annually. This rise in criminal activity can be attributed to the rapid expansion of the internet, which has provided perpetrators with increased opportunities for illicit actions. When a computer system is compromised and an intrusion is detected, it becomes crucial for a specialized forensics team to investigate the incident with the objective of identifying and tracing the responsible party. The outcome of such forensic efforts often leads to legal action being taken against those accountable for the wrongdoing. The methodology employed in computer forensics continually evolves alongside advancements in crime approaches, particularly as attackers leverage emerging technologies. To ensure the accuracy of forensic investigations, it is imperative that the scientific knowledge underlying the forensic process be complemented by the integration of technological tools. A plethora of hardware and software options are available to facilitate the analysis and interpretation of forensic data, thereby enhancing the efficiency and effectiveness of investigations. While the fundamental objectives of computer forensics primarily involve the seamless preservation, identification, extraction, documentation, and analysis of data, the widespread adoption of this discipline is contingent upon the law enforcement community's ability to keep pace with advancements in computing technology. Furthermore, the prevalence of diverse computer devices resulting from the emergence of microcomputer technology also plays a crucial role in shaping the field of computer forensics. This research paper aims to provide a comprehensive overview of computer forensics, encompassing advanced methodologies and detailing various technology tools that facilitate the forensic process. Specific areas of focus include the analysis of encrypted drives, disk analysis techniques, analysis toolkits, investigations involving volatile memory, and the examination of captured network packets. By exploring these aspects, this paper aims to contribute to the existing body of knowledge in the field of computer forensics and support practitioners in their pursuit of effective investigative techniques.

JI Yu-chen,FU Xiao,SHI Jin,LUO Bin,ZHAO Zhi-hong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.01.068

2014-01-01

Abstract:According to characteristics of computer intrusion forensic evidence, such as easy revise, easy loss, numerous sources, multifarious content, this paper discusses the current developing states about intrusion event reconstruction, analyzes intrusion event reconstruction source from the system layer object/event and the operate system layer object/event, and introduces the main intrusion event reconstruction tools. It reviews the existing methods for intrusion event reconstruction, including log analysis based on timestamp, semantic integrity checking, tracking technologies based on operate system layer object, event reconstruction models based on finite state machine and so on, evaluates their performance in terms of several metrics, such as reconstruction efficiency, false positives rate, credibility of evidence, authenticity of evidence, reconstruction environment, and summarizes the pros and cons of each method. Some important future research directions in the field of intrusion event reconstruction of computer intrusion forensic are discussed.

Jenny Ottmann,Frank Breitinger,Felix Freiling

DOI: https://doi.org/10.1145/3628600

IF: 2.717

2023-10-20

ACM Transactions on Privacy and Security

Abstract:Memory forensics is concerned with the acquisition and analysis of copies of volatile memory (memory dumps). Based on an empirical assessment of observable inconsistencies in 360 memory dumps of a running Linux system, we confirm a state of overwhelming inconsistency in memory forensics: Almost a third of these dumps had an empty process list and was therefore obviously incomplete. Out of those dumps that were analyzable, almost every second dump showed some form of inconsistency that potentially impacts the interpretation of the dump in a forensic investigation. These results are based on a new way to estimate the level of causal consistency of a memory dump. The factors influencing these inconsistencies are less clear but in general correlate with the level of concurrency (system load and number of threads).

computer science, information systems

Asad Arfeen,Muhammad Asim Khan,Obad Zafar,Usama Ahsan

DOI: https://doi.org/10.1002/cpe.6672

2021-10-11

Concurrency and Computation: Practice and Experience

Abstract:Ransomware is an emerging category of malware that locks computer data via powerful cryptographic algorithms. The global propagation of ransomware is a serious threat for individuals and organizations. The banking sector and financial institutions are the prime targets of such ransomware attacks. In case of such an attack, the field of digital forensics helps in estimation of the severity and data loss caused by the attack. Traditional digital forensics investigations make use of static or behavioral analysis to detect malware in infected systems. However, these procedures are challenged by malware obfuscation techniques. Malicious processes can stay inactive and undetected if only a single memory dump is analyzed. Thus, there is a need to collect numerous memory dumps of an individual program that can help with comprehensive and accurate analysis. In this article, we have developed a framework for volatile memory acquisition at regular time intervals to analyze the behavior of individual processes in memory. Through memory forensics, salient features are extracted from the infected memory dumps. These features can be utilized to classify malicious and benign processes efficiently through machine learning as compared to conventional techniques.

Nishchal Soni

DOI: https://doi.org/10.1016/j.fsidi.2024.301745

IF: 1.805

2024-03-17

Forensic Science International Digital Investigation

Abstract:Highlights • The study rigorously examines the impact of document format, size, and storage media on the recoverability of digital artifacts in memory forensics, offering fresh insights into forensic computing challenges. • Expanding research to include more operating systems and document formats could significantly enhance the study's applicability and generalizability across diverse technological environments. • Incorporating an analysis of the effects of cloud storage technologies and encryption on artifact recovery would address critical contemporary challenges in digital forensics. • Detailed documentation of forensic tools and methodologies used, alongside a comprehensive discussion of the study's limitations and potential biases, would improve reproducibility and practical relevance for forensic practitioners.

computer science, information systems, interdisciplinary applications

genxian liu,xi zhang,dongsheng wang,zhenyu liu,haixia wang

DOI: https://doi.org/10.1007/978-3-662-43908-1_1

2014-01-01

Abstract:Security is a crucial element of information systems. Extensive research for cryptographic algorithms that provide the sound theoretical basis of security. Among them security and integrity of memory has been a longstanding issue in trusted system design. Main memory is a critical component of all computing systems. Most of those systems are vulnerable to memory attacks, in which an attacker gains physical accesses to the unattended hardware, obtains the decryption keys from memory. We propose a method for protecting memory systems against attacks with hardware authentication and full memory encryption. The method is secure against all known type of memory attack. We have tested the method with software simulator and Field Programmable Gate Array (FPGA) platform. The results show that the method can authenticate and encrypt the contents of DRAM with 2.5 % performance penalties.

QIAN Qin,ZHANG Jian,ZHANG Kun,FU Xiao,MAO Bing

2014-01-01

Computer Science

Abstract:For the past few years,the amount of computer crime has been increasing year by year,and it is threatening various aspects of human society such as national politics,economy,and culture,etc.In modern society,the research on intrusion forensics and intrusion detection plays a significant role for fighting against computer crime,tracing intrusion,patching vulnerability and improving security system of computer network.However,with the popularity of Internet and the improving capacity of computers' storage,we often need to handle mass data about GB size,even up to TB size for intrusion forensics and intrusion detection.It inevitably makes much useful information submerge in redundant events,which brings about a huge challenge and low accuracy of analysis result.So it will be a topmost breakthrough to design a kind of technology for reducing redundant data and improving its accuracy and efficiency.This paper summarized several methods on intrusion forensics and intrusion detection.Firstly,this paper discoursed the development course of redundancy-reducing techniques and the application in traditional field such as medical domain.Then it systematically introduced all kinds of redundancy-reducing methods in intrusion forensics and intrusion detection.Finally,it figured out the existing problems and research direction in the future.It also gave some conclusions through the comparison on current situation of redundant data reducing techniques.

Yuzhe Chen,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/globecom42002.2020.9348005

2020-01-01

Abstract:With the development of cloud computing and wireless networks, cloud storage services are widely used in daily life. People can get access to cloud storage anytime and anywhere. Cloud storage forensics is a computer forensic scenario that currently appears frequently. In this paper, we first briefly introduce the general methods of traditional cloud storage forensics and then introduce forensic investigations that are conducted on three cloud storage services: BaiduNetDisk, 115yun, and WeiYun. The findings of the forensic analysis are presented in detail to help the development of forensics for cloud storage services.

Rob Witteman,Arjen Meijer,M-T. Kechadi,Nhien-An Le-Khac

DOI: https://doi.org/10.48550/arXiv.1609.02953

2016-09-09

Cryptography and Security

Abstract:Today, a mobile phone is not just a phone but it is a computer that you can also use for calling someone. Besides, in criminal investigations the importance of evidence from the mobile phone is increasing as more and more phones are seized at the Digital Forensic Department of the police. Indeed, the amount of memory cards of these mobile phones that need to be investigated separately is also increasing. Possible reasons are that the mobile phone investigation software does not support the specific mobile phone or the specific, for that investigation, artefacts. Sometimes the software investigates just the internal memory of the mobile phone and not the data which is written on the memory card. Fact is also that although the mobile phone was investigated by the dedicated software, the possibility that the associated memory card contains additional important information is evident. The current procedure to get all of the usable information from a memory card of a mobile phone is very time-consuming process and not user friendly. In this paper, we present a new single tool to simplify the investigation of a memory card from a mobile phone. We also test our tool with WhatsApp application installed on the memory card from different mobile phones.

Karamitsos Ioannis,Afzulpurkar Aishwarya,B. Trafalis Theodore,Ioannis Karamitsos,Aishwarya Afzulpurkar,Theodore B. Trafalis

DOI: https://doi.org/10.4236/jis.2020.112007

2020-01-01

Journal of Information Security

Abstract:Memory forensics is a young but fast-growing area of research and a promising one for the field of computer forensics. The learned model is proposed to reside in an isolated core with strict communication restrictions to achieve incorruptibility as well as efficiency, therefore providing a probabilistic memory-level view of the system that is consistent with the user-level view. The lower level memory blocks are constructed using primary block sequences of varying sizes that are fed as input into Long-Short Term Memory (LSTM) models. Four configurations of the LSTM model are explored by adding bi- directionality as well as attention. Assembly level data from 50 Windows portable executable (PE) files are extracted, and basic blocks are constructed using the IDA Disassembler toolkit. The results show that longer primary block sequences result in richer LSTM hidden layer representations. The hidden states are fed as features into Max pooling layers or Attention layers, depending on the configuration being tested, and the final classification is performed using Logistic Regression with a single hidden layer. The bidirectional LSTM with Attention proved to be the best model, used on basic block sequences of size 29. The differences between the model’s ROC curves indicate a strong reliance on the lower level, instructional features, as opposed to metadata or string features.

Cheng Shen,Jun Huang,Guangyu Sun,Jingshu Chen

DOI: https://doi.org/10.1145/3550295

2022-01-01

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

Abstract:This paper presents MemScope, a system that fingerprints devices via electromagnetic sensing of their memory heartbeats, i.e., the clock signal that synchronizes memory and memory controller. MemScope leverages the enhanced resolution and security of memory heartbeat fingerprint, which has enriched spectral features thanks to the spread spectrum generation of memory clock, and cannot be concealed as long as the device accesses its memory during computing. MemScope employs signal processing algorithms that allow it to hear the memory heartbeats of devices from a distance, in the presence of noise, and in crowded environments where multiple devices coexist. It then fingerprints memory heartbeats using machine learning tools. Measurements on a set of 65 devices over a month validate the robustness of fingerprint against time variation, and show a high precision and recall. We then use the neural network to build a detector to defend against possible replay attacks. Finally, we further demonstrate the effectiveness of MemScope in two application scenarios, (i) detecting wireless identity spoofing and (ii) identifying and localizing unauthorized hidden cameras.

Janardhan Kalikiri,Gaurav Varshney,Jaswinder Kour,Tarandeep Singh

2024-06-13

Abstract:In recent years, insider threats and attacks have been increasing in terms of frequency and cost to the corporate business. The utilization of end-to-end encrypted instant messaging applications (WhatsApp, Telegram, VPN) by malicious insiders raised data breach incidents exponentially. The Securities and Exchange Board of India (SEBI) investigated reports on such data leak incidents and reported about twelve companies where earnings data and financial information were leaked using WhatsApp messages. Recent surveys indicate that 60% of data breaches are primarily caused by malicious insider threats. Especially, in the case of the defense environment, information leaks by insiders will jeopardize the countrys national security. Sniffing of network and host-based activities will not work in an insider threat detection environment due to end-to-end encryption. Memory forensics allows access to the messages sent or received over an end-to-end encrypted environment but with a total compromise of the users privacy. In this research, we present a novel solution to detect data leakages by insiders in an organization. Our approach captures the RAM of the insiders device and analyses it for sensitive information leaks from a host system while maintaining the users privacy. Sensitive data leaks are identified with context using a deep learning model. The feasibility and effectiveness of the proposed idea have been demonstrated with the help of a military use case. The proposed architecture can however be used across various use cases with minor modifications.

Cryptography and Security

Yingxin Cheng,Xiao Fu,Bin Luo,Rui Yang,Hao Ruan

DOI: https://doi.org/10.1007/978-3-319-13257-0_15

2014-01-01

Abstract:In intrusion forensics, it is difficult to find the evidences about who placed the hooks and how these hooks were placed simply by analyzing the memory dump. That’s because such behavior is transient and the snapshot of memory usually doesn’t contain enough information about it. Lack of this information will cause an uncompleted chain of evidence. Although dynamic analysis can trace this behavior by instruction-level analysis, this technique is slow and inconvenient in real forensic cases. And many investigated systems do not run in the virtualization environment that dynamic analysis needed.

GENG Haiyan,QIAN Dong

2007-01-01

Abstract:Memory source monitoring has been one of hot topics in memory research in the recent years.The authors review several important issues in this field,including the theoretical framework of memory source monitoring,its implication in studies of eyewitnesses and schizophrenia patients,as well as its neurological mechanism.Further investigations over this issue will provide important experimental evidence for clarifying the nature of memory and the mechanisms of false memory.