Memory forensics is useful to provide a fast triage on running processes at the time of memory acquisition in order to avoid unnecessary forensic analysis. However, due to the effects of the execution of the process itself, traditional cryptographic hashes, normally used in disk forensics to identify files, are unsuitable in memory forensics. Similarity digest algorithms allow an analyst to compute a similarity score of inputs that can be slightly different. In this paper, we focus on the issues caused by relocation of Windows processes and system libraries when computing similarities between them. To overcome these issues, we introduce two methods ( and ) to pre-process a memory dump. The goal of both methods is to identify and undo the effect of relocation in every module contained in the dump, providing sanitized inputs to similarity digest algorithms that improve similarity scores between modules. relies on specific structures of the Windows PE format, while relies on a disassembling process to identify assembly instructions having memory operands that address to the memory range of the module. We have integrated both methods in a Volatility plugin and evaluated them in different scenarios. Our results demonstrate that pre-processing memory dumps with these methods significantly improves similarity scores between memory modules.
Pre-processing memory dumps to improve similarity score of Windows modules
Computers and Security, February 2021, Vol.101
© Elsevier. Personal use of this material is permitted. The definitive version of this paper was published in Computers and Security, February 2021, Vol.101 and is available at : https://doi.org/10.1016/j.cose.2020.102119
PERMALINK : https://www.eurecom.fr/publication/6407