ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2018, Vol. 55 ›› Issue (10): 2278-2290.doi: 10.7544/issn1000-1239.2018.20180405

Special Issue: 2018分布式安全与区块链技术研究专题

Previous Articles     Next Articles

A Memory Forensic Method Based on Hidden Event Trigger Mechanism

Cui Chaoyuan1, Li Yonggang1,2, Wu Yun3, Wang Licheng4   

  1. 1(Institute of Intelligent Machines, Hefei Institutes of Physical Science, Chinese Academy of Sciences, Hefei 230031);2(Graduate School of Science Island Branch, University of Science and Technology of China, Hefei 230027);3(Institute of Applied Technology, Hefei Institutes of Physical Science, Chinese Academy of Sciences, Hefei 230088);4(School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876)
  • Online:2018-10-01

Abstract: As an important branch of computer forensics, memory forensics can extract and alalyze digital evidence of OS running status, and has become a powerful weapon against cybercrimes. Most of the existed memory forensics approaches obtain memory data completely, and thus contain a large amount of redundant information, which brings inconvenience to subsequent memory analysis. In addition, there is blindness in the selection of forensic time points, especially for malware with hidden characteristics, so it cannot accurately perform real-time forensics when an attack occurs. Because of the volatile and unrecoverable nature of memory, the mismatch between the forensic time point and the attack process will make the forensic content unable to characterize the attack behavior, resulting in invalid forensic data. This study proposes ForenHD, a memory forensics approach based on hidden event trigger mechanism. ForenHD monitors the kernel objects in the target virtual machine in real time by leveraging virtualization technology. It firstly determines hidden objects by analyzing the logical connection and running status of kernel objects, and then uses the discovered hidden objects as the triggering event of memory forensics. Finally ForenHD extracts the code segment information of the hidden object through memory mapping. As a result, real-time and partial memory forensics can be achieved. Experiments on multiple hidden object forensics show ForenHDs feasibility and effectiveness.

Key words: memory forensic, real-time forensic, partial forensics, hidden event, trigger mechanism, system virtualization technology

CLC Number: