A Brief Survey of Memory Analysis Tools
DOI:
https://doi.org/10.24949/njes.v10i2.474Keywords:
Memory Forensics, forensic analysis, malware, behavior analysis, Malware IOCAbstract
This paper covers five major tools used for memory forensics that would be helpful to the scientific community and forensics researchers in determining which tools are best according to their requirement. From memory forensic analysis, it is very easy to judge about malware presence and behavior. This paper shows a brief survey of the tool’s attributes and their supported platforms. We have mainly focused to mention results on the basis of running process, DLL's, drivers, registry data, event logs, web activity, services, Malware IOC(Indicators of compromise) analysis, network information, size of the tool, address translation etc. Investigators may choose one of the tools according to their requirements.References
Ahmed, W., & Aslam, B. (2015). A comparison of windows physical memory acquisition tools.
Amari, K. (2009). techniques-tools-recovering-analyzing-data-volatile-memory-33049.
Baggett, Mark. (2016). SANS ISC InfoSec Forums. Retrieved October 28, 2016, from https://isc.sans.edu/forums/diary/Powershell+Malware+No+Hard+drive+Just+hard+times/20823/
Butler, J., & Murdock, J. (2011). Physical Memory Forensics for Files and Cache. Craigchamberlain.Dreamhosters.Com. Retrieved from http://www.craigchamberlain.dreamhosters.com/blackhat-2011/materials/Butler/BH_US_11_ButlerMurdock_Physical_Memory_Forensics-WP.pdfnpapers2://publication/uuid/0D588947-26F8-4823-86C4-B1E231D50CD4
Cai, L., Sha, J., & Qian, W. (2013). Study on Forensic Analysis of Physical Memory. International Symposium on Computer, Communication, Control and Automation, (3ca), 221–224. http://doi.org/10.2991/3ca-13.2013.56
Hejazi, S. M., Talhi, C., & Debbabi, M. (2009). Extraction of forensically sensitive information from windows physical memory. Digital Investigation, 6(SUPPL.). http://doi.org/10.1016/j.diin.2009.06.003
Logen, S., Höfken, H., & Schuba, M. (2012). Simplifying RAM forensics: A GUI and extensions for the volatility framework. Proceedings - 2012 7th International Conference on Availability, Reliability and Security, ARES 2012, 620–624. http://doi.org/10.1109/ARES.2012.12
Mcdown, R. J., Varol, C., Carvajal, L., & Chen, L. (2016). In-Depth Analysis of Computer Memory Acquisition Software for Forensic Purposes. Journal of Forensic Sciences, 61(January), 110–116. http://doi.org/10.1111/1556-4029.12979
Moser, A., Kruegel, C., & Kirda, E. (2007). Exploring multiple execution paths for malware analysis. Proceedings - IEEE Symposium on Security and Privacy, 231–245. http://doi.org/10.1109/SP.2007.17
Okolica, J., & Peterson, G. L. (2010). Windows operating systems agnostic memory analysis. Digital Investigation, 7(SUPPL.), S48–S56. http://doi.org/10.1016/j.diin.2010.05.007
Schuster, A. (2006). Searching for processes and threads in Microsoft Windows memory dumps. Digital Investigation, 3(SUPPL.), 10–16. http://doi.org/10.1016/j.diin.2006.06.010
Sheka, Ytisf, & Visitors. (2014). A repository of LIVE malwares. Retrieved October 25, 2016, from https://github.com/ytisf/theZoo/raw/master/malwares/Binaries/Keylogger.Ardamax/Keylogger.Ardamax.zip
Singh, E. G., & Kaur, M. (2016). Forensic Analysis of Data from Random Access Memory, 3(3), 99–103.
Sylve, J. T., Marziale, V., & Richard, G. G. (2016). Pool tag quick scanning for windows memory analysis. Digital Investigation, 16, S25–S32. http://doi.org/10.1016/j.diin.2016.01.005
Torres, A. (2016). starring Windows 10.
UrRehman, Z., Ahmad, A., & Saleem, S. (2016). Screenshots reference link of survay of memory analysis paper.
VirusTotal. (2016). Virustotal. Retrieved November 13, 2016, from https://www.virustotal.com/en/file/0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0/analysis/
Vomel, S., & Freiling, F. C. (2011). A survey of main memory acquisition and analysis techniques for the windows operating system. Digital Investigation, 8(1), 3–22. http://doi.org/10.1016/j.diin.2011.06.002
Xu, L., Wang, L., Zhang, S., & Li, H. (2013). A Method to Analyze Memory Images of 64-bit Windows 8. International Journal of Digital Content Technology and Its Applications, 7(7), 304–312. http://doi.org/10.4156/jdcta.vol7.issue7.35