Seance: Divination of tool-breaking changes in forensically important binaries. (July 2021)
- Record Type:
- Journal Article
- Title:
- Seance: Divination of tool-breaking changes in forensically important binaries. (July 2021)
- Main Title:
- Seance: Divination of tool-breaking changes in forensically important binaries
- Authors:
- Maggio, Ryan D.
Case, Andrew
Ali-Gombe, Aisha
Richard, Golden G. - Abstract:
- Abstract: The value of memory analysis during digital forensics, incident response, and malware investigations has been realized for over a decade. The power of memory forensics is based on the fact that volatile memory contains a substantial number of artifacts that are simply never recorded to disk or sent across the network in plaintext form. Orderly recovery of this data, known as structured analysis, allows for recovery of the full system state at the time of acquisition. For structured analysis to be successful, a memory analysis framework must have an accurate model of the data structures and algorithms of the target operating system and applications. Unfortunately, acquiring this layout is often a difficult task for even one version of an executable module, and the problem is only compounded when support for a wide variety of versions is desired. This issue can be manifested in several ways, including forensics frameworks being unable to process memory samples containing unsupported versions of executable code or worse, generating erroneous or incomplete results. Given the vital role memory analysis plays in modern investigations, these issues are unacceptable. In this paper, we present Seance, a system that implements automated binary analysis to provide accurate data structure layout information for different versions of targeted executed modules. The results of Seance can be consumed by analysis frameworks to accurately support all versions of a target module.
- Is Part Of:
- Forensic science international. Volume 37(2021)Supplement
- Journal:
- Forensic science international
- Issue:
- Volume 37(2021)Supplement
- Issue Display:
- Volume 37, Issue 2021 (2021)
- Year:
- 2021
- Volume:
- 37
- Issue:
- 2021
- Issue Sort Value:
- 2021-0037-2021-0000
- Page Start:
- Page End:
- Publication Date:
- 2021-07
- Subjects:
- Memory forensics -- Program analysis -- Digital forensics
- Journal URLs:
- http://www.sciencedirect.com/ ↗
- DOI:
- 10.1016/j.fsidi.2021.301189 ↗
- Languages:
- English
- ISSNs:
- 2666-2817
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 19476.xml