Pre-processing memory dumps to improve similarity score of Windows modules. Issue 101 (February 2021)
- Record Type:
- Journal Article
- Title:
- Pre-processing memory dumps to improve similarity score of Windows modules. Issue 101 (February 2021)
- Main Title:
- Pre-processing memory dumps to improve similarity score of Windows modules
- Authors:
- Martín-Pérez, Miguel
Rodríguez, Ricardo J.
Balzarotti, Davide - Abstract:
- Abstract: Memory forensics is useful to provide a fast triage on running processes at the time of memory acquisition in order to avoid unnecessary forensic analysis. However, due to the effects of the execution of the process itself, traditional cryptographic hashes, normally used in disk forensics to identify files, are unsuitable in memory forensics. Similarity digest algorithms allow an analyst to compute a similarity score of inputs that can be slightly different. In this paper, we focus on the issues caused by relocation of Windows processes and system libraries when computing similarities between them. To overcome these issues, we introduce two methods (Guided De-relocation and Linear Sweep De-relocation ) to pre-process a memory dump. The goal of both methods is to identify and undo the effect of relocation in every module contained in the dump, providing sanitized inputs to similarity digest algorithms that improve similarity scores between modules. Guided De-relocation relies on specific structures of the Windows PE format, while Linear Sweep De-relocation relies on a disassembling process to identify assembly instructions having memory operands that address to the memory range of the module. We have integrated both methods in a Volatility plugin and evaluated them in different scenarios. Our results demonstrate that pre-processing memory dumps with these methods significantly improves similarity scores between memory modules.
- Is Part Of:
- Computers & security. Issue 101(2021)
- Journal:
- Computers & security
- Issue:
- Issue 101(2021)
- Issue Display:
- Volume 101, Issue 101 (2021)
- Year:
- 2021
- Volume:
- 101
- Issue:
- 101
- Issue Sort Value:
- 2021-0101-0101-0000
- Page Start:
- Page End:
- Publication Date:
- 2021-02
- Subjects:
- Similarity digest algorithms -- Memory forensics -- Windows -- Relocation
Computer security -- Periodicals
Electronic data processing departments -- Security measures -- Periodicals
005.805 - Journal URLs:
- http://www.sciencedirect.com/science/journal/01674048 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.cose.2020.102119 ↗
- Languages:
- English
- ISSNs:
- 0167-4048
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3394.781000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 15398.xml