Abstract
Images of main memory are an increasingly important piece of evidence in cybercrime investigations, especially against advanced malware threats, and software tools that dump memory during normal system operation are the most common way to acquire memory images today. Of all proposed methods, Stüttgen and Cohen's robust memory acquistion (as implemented in the pmem tool) can be considered the most advanced technique today. This paper presents Styx, of a proof-of-concept system that perfectly covers its traces against pmem and other tools that perform software-based forensic memory acquisition. Styx is implemented as a loadable kernel module and is able to subvert running 64-bit Linux systems using Intel's VT-x hardware virtualization extension, without requiring the system to reboot. It further uses the second address translation via Intel's EPT to hide behind hidden memory. While exhibiting the limitations of robust memory acquisition, it also shows the potential of undetectable forensic analysis software.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
