A study on the evolution of kernel data types used in memory forensics and their dependency on compilation options

Oliveri, Andrea; Nemes, Nikola; Andjelic, Branislav; Balzarotti, Davide
DFRWS EU 2025, Digital Forensics Research Conference Europe, 1-4 April 20025, Brno, Czech Republic / Also to be published in "Forensic Science International: Digital Investigation"

Over the years, memory forensics has emerged as a powerful analysis technique for uncovering security breaches that often evade detection. However, the differences in layouts used by the operating systems to organize data in memory can undermine its effectiveness. To overcome this problem, forensics tools rely on specialized "maps", the profiles, that describe the location and layout of kernel data types in volatile memory for each different OS. To avoid compromising the entire forensics analysis, it is crucial to meticulously select the profile to use, which is also tailored to the specific version of the OS. In this work, for the first time, we conduct a longitudinal measurement study on kernel data types evolution across multiple kernel releases and its impact on memory forensics profiles. We analyze 2,298 Linux, macOS, and Windows Volatility 3 profiles from 2007 to 2024 to investigate patterns in data type changes across different OS releases, with a particular focus on types relevant to forensic analysis. This allowed the identification of fields commonly affected by modifications and, consequently, the Volatility plugins that are more vulnerable to these changes. In cases where an exact profile is unavailable, we propose guidelines for deciding on the most appropriate alternative profile to modify and use. Additionally, using a tool we developed, we analyze the source code of 77 Linux kernel versions to measure, for the first time, how the evolution of compile-time options influences kernel data types. Our findings show that even options unrelated to memory forensics can significantly alter data structure layouts and derived profiles, offering crucial insights for forensic analysts in navigating kernel configuration changes.

Type:
Conference
City:
Brno
Date:
2025-04-01
Department:
Digital Security
Eurecom Ref:
7994
Copyright:
© Elsevier. Personal use of this material is permitted. The definitive version of this paper was published in DFRWS EU 2025, Digital Forensics Research Conference Europe, 1-4 April 20025, Brno, Czech Republic / Also to be published in "Forensic Science International: Digital Investigation" and is available at :

PERMALINK : https://www.eurecom.fr/publication/7994