Abstract
Physical memory acquisition is a prerequisite when performing memory forensics, referring to a set of techniques for acquiring and analyzing traces associated with user activity information, malware analysis, cyber incident response, and similar areas when the traces remain in the physical RAM. However, certain types of malware have applied anti-memory forensics techniques to evade memory analysis strategies or to make the acquisition process impossible. To disturb the acquisition process of physical memory, an attacker hooks the kernel API, which returns a map of the physical memory spaces, and modifies the return value of the API, specifically that typically used by memory acquisition tools. Moreover, an attacker modifies the kernel object referenced by the kernel API. This causes the system to crash during the memory acquisition process or causes the memory acquisition tools to incorrectly proceed with the acquisition. Even with a modification of one byte, called a one-byte modification attack, some tools fail to acquire memory. Therefore, specialized countermeasure techniques are needed for these anti-memory forensics techniques. In this paper, we propose a memory layout acquisition method which is robust to kernel API hooking and the one-byte modification attack on NumberOfRuns, the kernel object used to construct the memory layout in Windows. The proposed acquisition method directly accesses the memory, extracts the byte array, and parses it in the form of a memory layout. When we access the memory, we extract the _PHYSICAL_MEMORY_DESCRIPTOR structure, which is the basis of the memory layout without using the existing memory layout acquisition API. Furthermore, we propose a verification method that selects a reliable memory layout. We realize the verification method by comparing NumberOfRuns and the memory layout acquired via the kernel API, the registry, and the proposed method. The proposed verification method guarantees the reliability of the memory layout and helps secure memory image acquisition through a comparative verification with existing memory layout acquisition methods. We also conduct experiments to prove that the proposed method is resistant to anti-memory forensics techniques, confirming that there are no significant differences in time compared to the existing tools.
Highlights
It was installed in Rekall, a memory forensics tool, but it has been converted into a separate project maintained by Velocidex [14,15]
Each test was performed 10 times, and break on access (BA) was set at the NumberOfRuns position to check if the memory acquisition tool accesses the NumberOfRuns value of
We proposed a memory layout acquisition and verification method to enable reliable memory acquisition based on a secure memory layout
Summary
Traditional forensics focuses on data in the storage media of computers, cell phones, cameras and other devices, but in recent years, the scope of digital forensics has expanded to include data extracted from volatile memory [1]. Memory can contain decrypted data such as passwords, running processes themselves, and recently used commands [2,3]. Based on the remaining data, encrypted data in the file system can be decrypted or additional user activity records can be stored. Memory forensics refers to techniques that acquire and analyze data that can only be verified in an active state. Memory forensics is effective when used to analyze malicious code such as rootkits, as this strategy can verify the traces of the process
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
