Memory analysis of .NET and .Net Core applications. (July 2022)
- Record Type:
- Journal Article
- Title:
- Memory analysis of .NET and .Net Core applications. (July 2022)
- Main Title:
- Memory analysis of .NET and .Net Core applications
- Authors:
- Manna, Modhuparna
Case, Andrew
Ali-Gombe, Aisha
Richard, Golden G. - Abstract:
- Abstract: Memory analysis is a digital forensics technique whose goal is to model a computer system's state based solely on the analysis of a snapshot of physical memory (RAM). Memory forensics is frequently employed in incident response to detect and analyze modern malware and attack frameworks. Memory forensics is a particularly powerful tool for analyzing modern malware, which may exist only in memory and not touch non-volatile storage. Memory-only attacks leave no trace of the malware and its associated modules on the file system and all data that traverses the network is commonly encrypted. While initially focused on kernel level rootkits, memory analysis research efforts have recently shifted to detection of userland malware. This shift occurred as operating system vendors have strongly locked down the ability for kernel rootkits to load, and, in turn, malware authors have developed significant userland malware capabilities. In this paper, we present our effort to develop memory analysis capabilities that target a very powerful and widely abused set of userland runtimes: the .NET Framework and its replacement, .NET Core. To support automated and repeatable results, even for non-expert investigators, we developed a number of Volatility plugins that automatically target key areas of these runtimes and report any suspicious artifacts. Our suite of new plugins provides investigators with deep insight into the use of .NET on a target system as well as identification ofAbstract: Memory analysis is a digital forensics technique whose goal is to model a computer system's state based solely on the analysis of a snapshot of physical memory (RAM). Memory forensics is frequently employed in incident response to detect and analyze modern malware and attack frameworks. Memory forensics is a particularly powerful tool for analyzing modern malware, which may exist only in memory and not touch non-volatile storage. Memory-only attacks leave no trace of the malware and its associated modules on the file system and all data that traverses the network is commonly encrypted. While initially focused on kernel level rootkits, memory analysis research efforts have recently shifted to detection of userland malware. This shift occurred as operating system vendors have strongly locked down the ability for kernel rootkits to load, and, in turn, malware authors have developed significant userland malware capabilities. In this paper, we present our effort to develop memory analysis capabilities that target a very powerful and widely abused set of userland runtimes: the .NET Framework and its replacement, .NET Core. To support automated and repeatable results, even for non-expert investigators, we developed a number of Volatility plugins that automatically target key areas of these runtimes and report any suspicious artifacts. Our suite of new plugins provides investigators with deep insight into the use of .NET on a target system as well as identification of suspicious and malicious components. These capabilities considerably advance a defenders' ability to combat, contain, and understand modern malware. … (more)
- Is Part Of:
- Forensic science international. Volume 42(2022)Supplement
- Journal:
- Forensic science international
- Issue:
- Volume 42(2022)Supplement
- Issue Display:
- Volume 42, Issue 2022 (2022)
- Year:
- 2022
- Volume:
- 42
- Issue:
- 2022
- Issue Sort Value:
- 2022-0042-2022-0000
- Page Start:
- Page End:
- Publication Date:
- 2022-07
- Subjects:
- Memory forensics -- Language runtimes -- Memory-only malware -- Digital forensics
- Journal URLs:
- http://www.sciencedirect.com/ ↗
- DOI:
- 10.1016/j.fsidi.2022.301404 ↗
- Languages:
- English
- ISSNs:
- 2666-2817
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 22352.xml