A Brief Survey of Memory Analysis Tools

Authors

  • Zia Ur Rehman
  • Aneeq Ahmad
  • Shahzad Saleem

DOI:

https://doi.org/10.24949/njes.v10i2.474

Keywords:

Memory Forensics, forensic analysis, malware, behavior analysis, Malware IOC

Abstract

This paper covers five major tools used for memory forensics that would be helpful to the scientific community and forensics researchers in determining which tools are best according to their requirement. From memory forensic analysis, it is very easy to judge about malware presence and behavior. This paper shows a brief survey of the tool’s attributes and their supported platforms. We have mainly focused to mention results on the basis of running process, DLL's, drivers, registry data, event logs, web activity, services, Malware IOC(Indicators of compromise) analysis, network information, size of the tool, address translation etc. Investigators may choose one of the tools according to their requirements.

Author Biographies

Zia Ur Rehman

School of Electrical Engineering & Computer Science, National University of Science & Technology, Islamabad, 44000 Pakistan

Aneeq Ahmad

School of Electrical Engineering & Computer Science, National University of Science & Technology, Islamabad, 44000 Pakistan

Shahzad Saleem

School of Electrical Engineering & Computer Science, National University of Science & Technology, Islamabad, 44000 Pakistan

References

Ahmed, W., & Aslam, B. (2015). A comparison of windows physical memory acquisition tools.

Amari, K. (2009). techniques-tools-recovering-analyzing-data-volatile-memory-33049.

Baggett, Mark. (2016). SANS ISC InfoSec Forums. Retrieved October 28, 2016, from https://isc.sans.edu/forums/diary/Powershell+Malware+No+Hard+drive+Just+hard+times/20823/

Butler, J., & Murdock, J. (2011). Physical Memory Forensics for Files and Cache. Craigchamberlain.Dreamhosters.Com. Retrieved from http://www.craigchamberlain.dreamhosters.com/blackhat-2011/materials/Butler/BH_US_11_ButlerMurdock_Physical_Memory_Forensics-WP.pdfnpapers2://publication/uuid/0D588947-26F8-4823-86C4-B1E231D50CD4

Cai, L., Sha, J., & Qian, W. (2013). Study on Forensic Analysis of Physical Memory. International Symposium on Computer, Communication, Control and Automation, (3ca), 221–224. http://doi.org/10.2991/3ca-13.2013.56

Hejazi, S. M., Talhi, C., & Debbabi, M. (2009). Extraction of forensically sensitive information from windows physical memory. Digital Investigation, 6(SUPPL.). http://doi.org/10.1016/j.diin.2009.06.003

Logen, S., Höfken, H., & Schuba, M. (2012). Simplifying RAM forensics: A GUI and extensions for the volatility framework. Proceedings - 2012 7th International Conference on Availability, Reliability and Security, ARES 2012, 620–624. http://doi.org/10.1109/ARES.2012.12

Mcdown, R. J., Varol, C., Carvajal, L., & Chen, L. (2016). In-Depth Analysis of Computer Memory Acquisition Software for Forensic Purposes. Journal of Forensic Sciences, 61(January), 110–116. http://doi.org/10.1111/1556-4029.12979

Moser, A., Kruegel, C., & Kirda, E. (2007). Exploring multiple execution paths for malware analysis. Proceedings - IEEE Symposium on Security and Privacy, 231–245. http://doi.org/10.1109/SP.2007.17

Okolica, J., & Peterson, G. L. (2010). Windows operating systems agnostic memory analysis. Digital Investigation, 7(SUPPL.), S48–S56. http://doi.org/10.1016/j.diin.2010.05.007

Schuster, A. (2006). Searching for processes and threads in Microsoft Windows memory dumps. Digital Investigation, 3(SUPPL.), 10–16. http://doi.org/10.1016/j.diin.2006.06.010

Sheka, Ytisf, & Visitors. (2014). A repository of LIVE malwares. Retrieved October 25, 2016, from https://github.com/ytisf/theZoo/raw/master/malwares/Binaries/Keylogger.Ardamax/Keylogger.Ardamax.zip

Singh, E. G., & Kaur, M. (2016). Forensic Analysis of Data from Random Access Memory, 3(3), 99–103.

Sylve, J. T., Marziale, V., & Richard, G. G. (2016). Pool tag quick scanning for windows memory analysis. Digital Investigation, 16, S25–S32. http://doi.org/10.1016/j.diin.2016.01.005

Torres, A. (2016). starring Windows 10.

UrRehman, Z., Ahmad, A., & Saleem, S. (2016). Screenshots reference link of survay of memory analysis paper.

VirusTotal. (2016). Virustotal. Retrieved November 13, 2016, from https://www.virustotal.com/en/file/0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0/analysis/

Vomel, S., & Freiling, F. C. (2011). A survey of main memory acquisition and analysis techniques for the windows operating system. Digital Investigation, 8(1), 3–22. http://doi.org/10.1016/j.diin.2011.06.002

Xu, L., Wang, L., Zhang, S., & Li, H. (2013). A Method to Analyze Memory Images of 64-bit Windows 8. International Journal of Digital Content Technology and Its Applications, 7(7), 304–312. http://doi.org/10.4156/jdcta.vol7.issue7.35

Downloads

Issue

Section

Engineering Sciences