deletions | additions
diff --git a/REFERENCES.tex b/REFERENCES.tex
index 4539135..ac2a0d9 100644
--- a/REFERENCES.tex
+++ b/REFERENCES.tex
...
9. Casey, E. (2005). Handbook of Digital Forensics and Investigation. Burlington, MA: Elsevier Academic Press
10. Carvey, H. (2009). Windows Forensic Analysis DVD Toolkit, Burlington, MA: Syngress Press
11. AccessData Group. FTK. AccessData. Retrieved from http://www.accessdata.com/products/digital-forensics/ftk on January 14, 2014
12. Belkasoft. (2013). Live RAM Capturer. Retrieved from http://forensic.belkasoft.com/en/ram/download.asp on January 14, 2014
13. Okolica, J. Peterson, G. (2011). Extracting forensic artifacts from Windows O/S memory. Retrieved from http://ie.archive.ubuntu.com/disk1/disk1/download.sourceforge.net/pub/sourceforge/c/cm/cmat/CMAT%20Technical%20Report.pdf on January 14, 2014
14. Moomsols (2009). DumpIt. Retrieved http://www.moonsols.com/ on January 14, 2014
15. Guidance Software. (2013). EnCase Forensic. Retrieved from https://www.encase.com/encase-forensic.htm on January 14, 2014
16. HBGary. (2013). FastDump. Retrieved from http://hbgary.com/free_tools on January 14, 2014
17. ManTech Int. (2009). Sourceforge MDD. Retrieved from http://sourceforge.net/projects/mdd on January 14, 2014
18. Mandiant. (2009). Software Downloads Memoryze. Retrieved from https://www.mandiant.com/resources/download/memoryze on January 14, 2014
19. Technology Pathways. (2013). ProDiscover. Retrieved from http://www.techpathways.com/ProDiscoverDFT.htm on January 14, 2014
20. Cohen M. (2012). The PMEM Memory acquisition suite. Retrieved http://scudette.blogspot.ru/2012/11/the-pmem-memory-acquisition-suite.html on January 14, 2014
21. GMG Systems. (2013). KnTTools with KnTList. Retrieved from http://gmgsystemsinc.com/knttools on January 14, 2014
22. Vomel, S., Freiling, F. (2011). A survey of main memory acquisition and analysis techniques for the windows operating system, The International Journal of Digital Forensics & Incident Response, 8 (1), 3-22. doi:10.1016/j.diin.2011.06.002
23. Milkovic, L. (2012). Defeating Windows memory forensics. Retrieved from http://events.ccc.de/congress/2012/Fahrplan/events/5301.en.html on January 14, 2014
24. Cohen, M., Bilby, D., Caronni, G. (2011). Distributed forensics and incident response in the enterprise, Journal Digital Investigation: The International Journal of Digital Forensics & Incident Response, 8, S101-S110. doi:10.1016/j.diin.2011.05.012
25. Dykstra, J., Sherman, A. (2012). Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques. Retrieved from http://www.csee.umbc.edu/~dykstra/DFRWS_Dykstra.pdf on January 14, 2014
VMX-code mem dump
26. F-Response. Remote Analysis Capability for X-Ways Forensics. Retrieved from http://www.x-ways.net/forensics/f-response.htmlon January 14, 2014
27. Graziano, M., Lanzi, A., Balzarotti, D. (2013). Hypervisor Memory Forensics. In J.Stolfo, A. Stavrou, V. Wright (Eds.), Research in Attacks, Intrusions, and Defenses. Paper presented at The 16th International Symposium, RAID 2013, Rodney Bay, St. Lucia, 23-25 October (pp 21-40).
28. Yu, M., Qi, Z., Lin, Q., Zhong, X., Li, B., Guan H., (2012). Vis: Virtualization Enhanced Live Acquisition for Native System, Journal of Digital Investigation, Volume 9, Issue 1, 22–33. doi:10.1016/j.diin.2012.04.002
29. Kuhn, S., Taylor, S. (2012). A forensic hypervisor for process tracking and exploit discovery. Paper present at Military Communications Conference, MILCOM, Orlando, FL, 29 October 2012 1 November 2012 (pp. 1-5). doi:10.1109/MILCOM.2012.6415817
30. Johannes, S., Michael, C. (2013). Anti-Forensic Resilient Memory Acquisition, Retrieved from http://dfrws.org/2013/proceedings/DFRWS2013-13.pdf on January 14, 2014
31. Rutkowska, J., Tereshkin, (2007). A. IsGameOver(). Anyone?. Retrieved from http://www.blackhat.com/presentations/bh-usa-07/Rutkowska/Presentation/bh-usa-07-rutkowska.pdf on January 14, 2014
32. Blunden, B. (2012). The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System. Burlington, MA: Jones & Bartlett Publishers.
33. Datta, A., Franklin, J., Garg, D., Kaynar, D. (2009). A Logic of Secure Systems and its Application to Trusted Computing, Paper presented at 30th IEEE Symposium on Security and Privacy (S&P), Berkeley, CA, 17-20 May (pp. 221-236). doi:10.1109/SP.2009.16
34. Lioy, A., Ramunno, G., Vernizzi, D. (2009). Trusted-Computing Technologies for the Protection of Critical Information Systems. Paper presented at the International Workshop on Computational Intelligence in Security for Information Systems CISIS’08, Burgos, Spain, 23-26 September (pp 77-83) Berlin: Springer
35. Silakov, D. V. (2012). The Use of Hardware Virtualization in the Context of Information Security, Programming and Computer Software, 38(5), 276-280. doi:10.1134/S0361768812050064
36. Wojtczuk, R., Rutkowska, J. (2009). Attacking Intel Trusted Execution Technology, Black Hat DC 2009; Retrieved from http://invisiblethingslab.com/resources/bh09dc/Attacking%20Intel%20TXT%20-%20paper.pdf on January 14, 2014
37. Wojtczuk, R., Rutkowska, J., and Tereshkin A. (2009). Another Way to Circumvent Intel Trusted Execution Technology, Retrieved from http://invisiblethingslab.com/resources/misc09/Another%20TXT%20Attack.pdf on January 14, 2014
38. Zmudzinski, K. (2009). Methods for selecting cores to execute system management interrupts. Retrieved from http://www.patentimages.storage.googleapis.com/pdfs/US20090172229.pdf on January 14, 2014
39. Embleton, S., Sparks, S., Zou, C. (2008). SMM Rootkits: A New Breed of OS Independent Malware. Paper present at Proceedings of the 4th International Conference on Security and Privacy in Communication Networks (SecureComm). Istanbul, Turkey, (pp 1-12). doi:10.1145/1460877.1460892
40. Wang, J., Zhang, F., Sun, K., Stavrou, A. (2009). Firmware-assisted Memory Acquisition and Analysis Tools for Digital Forensics. Paper present at Proceedings International Workshop on Systematic Approaches to Digital Forensic Engineering, Berkeley, California, USA, 26 May, (pp 1-5).
41. Reina, A., Fattori, A., Pagani, F., Cavallaro, L., Bruschi D. (2012). When Hardware Meets Software: A Bulletproof Solution to Forensic Memory Acquisition. Paper present at Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), NY, USA, (pp. 79-88). doi:10.1145/2420950.2420962
42. Tereshkin, A., Wojtczuk, R. (2009). Introducing Ring -3 Rootkits, Retrieved from http://www.blackhat.com/presentations/bh-usa-09/TERESHKIN/BHUSA09-Tereshkin-Ring3Rootkit-SLIDES.pdf on January 14, 2014
43. Stewin, P., Bystrov I. (2012). Understanding DMA Malware. Paper presented at Proceedings of the 9th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Heraklion, Crete, Greece, 26-27 July (pp 21-41)
44. Ververis, V. (2010). Security Evaluation of Intel's Active Management Technology. Master thesis. Retrieved from http://web.it.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf on January 14, 2014
VmWare-suspend approach
45. Csk (2012). Intel AMT/ME Meet Intel's hardware backdoor. Retrieved from http://www.uberwall.org/bin/download/download/102/lacon12_intel_amt.pdf on January 14, 2014.
46. David, F., Chan, E., Carlyle J., Campbell, R. (2008). Cloaker: Hardware Supported Rootkit Concealment. Paper presented at IEEE Symposium on Security and Privacy, Oakland, California, USA, 18-21 May (pp. 296-310). doi:10.1109/SP.2008.8
47. Patel A., Mistry N. (2013). An Analyzing of different Techniques and Tools to Recover Data from Volatile Memory. International Journal for Scientific Research & Development, 1(2), 219-225.
48. Carrier, B., Grand, J. (2004). A Hardware-Based Memory Acquisition Procedure for Digital Investigations, The International Journal of Digital Forensics & Incident Response, 1(1), 50-60, doi:10.1016/j.diin.2003.12.001
49. Goel, S. (2009). Digital Forensics and Cyber Crime. Paper presented at First International ICST Conference, Albany, NY, USA, Sept 30 - Oct 2,
50. Davis, M., Bodmer, S., LeMasters, (2009). A. Hacking Exposed: Malware & Rootkits Secrets & Solutions. The McGraw-Hill Companies
51. CaptureGUARD. (2012). Physical Memory Acquisition Hardware by WindowsScope. Retrieved from http://www.windowsscope.com/ on January 14, 2014
52. Boileau, (2011). A. Hit by a Bus: Physical Access Attacks with Firewire. Retrieved from http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf on January 14, 2014
53. Breuk, R., Spruyt, A. (2012). Integrating DMA attacks in exploitation frameworks. Retrieved from http://www.delaat.net/rp/2011-2012/p14/report.pdf on January 14, 2014
54. Lawson N. (2007). Don’t Tell Joanna. The Virtualized Rootkit Is Dead. Retrieved from http://www.matasano.com/research/bh-usa-07-ptacek_goldsmith_and_lawson.pdf on January 14, 2014
55. Athreya, M. (2010). Subverting linux on-the-fly using hardware virtualization technology. Retrieved from http://arch.ece.gatech.edu/pub/athreya.pdf on January 14, 2014
56. Bulygin, Y. (2008). Chipset based approach to detect virtualization malware a.k.a. DeepWatch. Retrieved from http://www.hakim.ws/BHUSA08/speakers/Bulygin_Detection_of_Rootkits/bh-us-08-bulygin_Chip_Based_Approach_to_Detect_Rootkits.pdf on January 14, 2014
57. AMD64 (2012). AMD64 Architecture Programmer’s Manual Volume 2: System Programming. Retrieved from support.amd.com/us/Processor_TechDocs/APM_V2_24593.pdf on January 14, 2014
58. Rutkowska J. (2007). Beyond The CPU: Defeating Hardware Based RAM Acquisition (part I: AMD case). Retrieved from http://www.first.org/conference/2007/papers/rutkowska-joanna-slides.pdf on January 14, 2014
59. Reuben, J. (2007). A Survey on Virtual Machine Security. Retrieved from http://www.tml.tkk.fi/Publications/C/25/papers/Reuben_final.pdf on January 14, 2014
60. Ferrie, P. (2006). Attacks on Virtual Machine Emulators. Retrieved from http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf on January 14, 2014
61. Okolica, J., Peterson, G. (2010). A Compiled Memory Analysis Tool. IFIP Advances in Information and Communication Technology, 337, 195-204, doi:10.1007/978-3-642-15506-2_14
62. Zhao, Q., Cao, T. (2009). Collecting Sensitive Information from Windows Physical Memory. Journal of Computers, 4(1), 3-10.
63. Ruff, N. (2007). Windows memory forensics. Journal of Computer Virology and Hacking Techniques, 4(2), 83-100. doi:10.1007/s11416-007-0070-0
64. MSDN. (2013). Forcing a System Crash from the Keyboard. Retrieved from http://msdn.microsoft.com/en-us/library/windows/hardware/ff545499(v=vs.85).aspx on January 14, 2014
65. Halderman, J.A., Schoen, D.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., ... Felten E.W. (2008). Lest We Remember: Cold Boot Attacks on Encryption Keys. Paper presented at 17th USENIX Security Symposium, San Jose, CA, July (pp. 45–60).
66. Schatz, B. (2007). BodySnatcher: Towards reliable volatile memory acquisition by software, Journal Digital Investigation: The International Journal of Digital Forensics & Incident Response, 4, 126–134. doi:10.1016/j.diin.2007.06.009
67. Hoglund, G. (2011). A Brief History of Physical Memory Forensics, Retrieved from http://fasthorizon.blogspot.ru/2011/05/brief-history-of-physical-memory.html on January 14, 2014
68. Burdach, M. (2006). Finding Digital Evidence In Physical Memory. Retrieved from http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Burdach/bh-fed-06-burdach-up.pdf on January 14, 2014
69. Zhang, R., Wang, L., Zhang, S. (2009). Windows Memory Analysis Based on KPCR. Paper presented at Fifth International Conference on. Information Assurance and Security, Xi'an, China, 18-20 August (pp. 677-680). doi:10.1109/IAS.2009.103
70. Korkin, I. (2013). Windows NT4.0 source code. Retrieved from http://igorkorkin.blogspot.ru/2013/09/windows-nt-40-full-free-source-code-912_16.html on January 14, 2014
71. MSDN (2010). Windows Research Kernel Source Code. Retrieved from https://www.microsoft.com/education/facultyconnection/articles/articledetails.aspx?cid=2416&c1=en-us&c2=0 on January 14, 2014
72. ReactOS. (2013). ReactOS source code. Retrieved from http://doxygen.reactos.org on January 14, 2014
73. Tsaur, W. Chen, Y. (2010). Exploring Rootkit Detectors' Vulnerabilities Using a New Windows Hidden Driver Based Rootkit. Paper presented at The Second IEEE International Conference on Social Computing (SocialCom2010), Minneapolis, MN, 20-22 August (pp. 842-848) doi:10.1109/SocialCom.2010.127
74. Korkin, I. (2012, August) Anti-Rootkits in the Era of Cyber Wars, Hakin9 Extra Magazine, English Edition. Vol.2. No.7 Issue 07/2012 (11) ISSN 1733-7186. pp 26-29
75. Wright, C. (2013, October 1). Windows memory forensics & memory acquisition. eForensics Magazine, pp. 112-118.
76. Arevalo, J. (2013, October 1). Step by step to work with your own memory dumps. eForensics Magazine, pp. 36-75.
77. Rutkowska, J. (2006) Introducing Stealth Malware Taxonomy. Retrieved from http://theinvisiblethings.blogspot.ru/2006/11/introducing-stealth-malware-taxonomy.html on January 14, 2014
78. Tsaur, W. (2012). Strengthening digital rights management using a new driver-hidden rootkit. IEEE Transactions on Consumer Electronics, 58(2), 479-483. doi: 10.1109/TCE.2012.6227450
79. Blunden, B. (2009). The Rootkit Arsenal: Escape and Evasion. Texas, USA: Jones & Bartlett Learning
80. Rutkowska, J. (2005). Thoughts about Cross-View based Rootkit Detection. Retrieved from http://es.thehackademy.net/madchat/vxdevl/library/Thoughts%20about%20Cross-View%20based%20Rootkit%20Detection.pdf on January 14, 2014
81. Shosha, A. F., Chen-Ching, L., Gladyshev, P., Matten, M. (2012) Evasion-resistant malware signature based on profiling kernel data structure objects. Paper presented at The International Conference on Risks and Security of Internet and Systems (CRiSIS), Cork, 10-12 October, (pp. 1-8).
82. Haruyama, T., Suzuki, H. (2012). One-Byte Modification for Breaking Memory Forensic Analysis. Retrieved from http://media.blackhat.com/bh-eu-12/Haruyama/bh-eu-12-Haruyama-Memory_Forensic-Slides.pdf on January 14, 2014
83. Aumaitre, D. (2009). A little journey inside Windows memory. Journal of Computer Virology and Hacking Techniques, 5 (2), 105-117. doi:10.1007/s11416-008-0112-2
84. Wandong, P., Jiang, Y., Jun; C., Yinshan, L. (2010). A Method for Hidden Process Detection Based on Routines of Thread Scheduling List. Paper presented at The International Conference on Internet Technology and Applications (iTAP), Wuhan, China, 20-22 August (pp. 1-5)
85. Graham J, Howard R, Olson R (2010). Cyber security essentials. Boca Raton, FL: Auerbach Publications
86. Cohen, M. (2012). Memory Forensics With Volatility, Retrieved from http://www.dfrws.org/2012/program.shtml on January 14, 2014
87. Komal, B. (2013, October 1). Step by step memory forensics. eForensics Magazine, 15 (19), pp. 20-35.
88. Saur, K., Grizzard, J. (2010). Locating x86 Paging Structures in Memory Images. Journal Digital Investigation: The International Journal of Digital Forensics & Incident Response. 7 (1), 28-37. doi:10.1016/j.diin.2010.08.002
89. Cui, W., Peinado, M., Xu, Z., Chan, E. (2012). Tracking Rootkit Footprints with a Practical Memory Analysis System. Paper presented at the 21st USENIX Security Symposium, USENIX Association Berkeley, CA, USA, August (pp. 42-57).
90. Schuster, A. (2006). Searching for processes and threads in Microsoft Windows memory dumps. Journal Digital Investigation: The International Journal of Digital Forensics & Incident Response.3, 10-16 doi:10.1016/j.diin.2006.06.010
91. Lin, Z., Rhee, J., Zhang, X., Xu, D., Jiang, X. (2011). SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures. Paper presented at the 17th Annual Network and Distributed System Security Symposium (NDSS), CA, 28 February (pp. 1-18).
92. Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J. (2009). Robust Signatures for Kernel Data Structures. Paper presented at the ACM Conference on Computer and Communications Security, Chicago, Illinois, USA, 9-13 November (pp. 1-12)
93. Hoglund, G., Butler, J. (2005). Rootkits: Subverting the Windows Kernel. Massachusetts, US: Addison-Wesley Professional.
94. Vomel, S., Lenz, H. (2013). Visualizing Indicators of Rootkit Infections in Memory Forensics, Paper presented at 7th International Conference on IT Security Incident Management and IT Forensics (IMF), Nuremberg, German, 12-14 March (pp. 122-139)
95. Tsaur, W., Yeh L. (2012). Identifying Rootkit Infections Using a New Windows Hidden-driver-based Rootkit. Paper presented at The International Conference on Security and Management, Las Vegas, USA, 16-19 July (pp. 1-7)