this is for holding javascript data
Igor.Korkin renamed 1. INTRODUCTION.tex to INTRODUCTION.tex
over 9 years ago
Commit id: fc3c21858cc6993372ff6b52189e5a2bbe655f19
deletions | additions
diff --git a/INTRODUCTION.tex b/INTRODUCTION.tex
new file mode 100644
index 0000000..c25cbea
--- /dev/null
+++ b/INTRODUCTION.tex
...
\section{INTRODUCTION}
Memory dump is used in various aspects of information security. It can be used for controlling virtual memory content while program is executed, running and after its close, is also typical for sophisticated malware, reverse-engineering due to it provides code and data in virtual memory for research and analysis. Memory dump is also used in computer forensic examination processes.
A fairly common problem is to obtain and analyze a memory dump. Both individual professionals J.Stuttgen, M.Cohen, B.Schatz, J.Okolica, J.Rutkowska, J.Butler, L.Cavallaro, L.Milkovic and entire international companies such as Microsoft, WindowsSCOPE, Guidance Software, Mandiant Corporation, Volatile Systems LLC tried to deal with this problem. A number of research theses are devoted to these issues [1-4].
It has also been discussed during various international conferences like BlackHat, DefCon, Digital Forensic Research Workgroup (DFRWS) Conference, ADFSL Conference on Digital Forensics, Security and Law, Open Source Digital Forensics Conference and workshops such as International Workshop on Digital Forensics (WSDF), SANS Windows Memory Forensics Training (FOR526), Open Memory Forensics Workshop (OMFW) by Volatile Systems.
This article presents a new memory dumping and analysis system which has several advantages and gives an example of how to use it for the kernel-mode rootkits and hidden malware detection. Moreover, this system can be applied in all mentioned above areas. The remainder of the paper is organized as follows.
Section 2 is devoted to the most popular software and hardware approaches for acquiring memory their analysis, including a new low-level approach. Memory dump can be obtained by executing a code that is running in user mode, kernel mode, VMX-root mode, system management mode and low-level AMT code which is used by an independent processor. These approaches can dump memory of single process address space or copy physical Random Access Memory (RAM). Tools and approaches focused on the mentioned code modes are described. As Microsoft Windows operating system is the most popular now it is essential to focus on OS Windows family of tools. However, similar conclusions could be made about Unix-based tools and approaches.
Section 3 contains a description of author’s memory dump acquisition approach. The idea is based on walking through the page tables and saving each of them with additional information, such as virtual page addresses and its offsets in the result dump file. This approach reveals good efficiency when each page is not separately saved to HDD, but is buffered and archived before it is saved. Additional dump file encryption protects it from modification while it is being saved to HDD. This approach uses memory paging in protected mode and therefore is operating system independent and is applicable on Linux or Mac OS X.
In section 4 hidden malware is observed. The current available detection methods and tools are analyzed with the focus on signature detection of hidden drivers as the most common problem. An author’s Dynamic Bit Signature (DBS) and Rating Point Inspection (RPI) approaches for processes’ and drivers’ detection and comparative analysis are briefly presented.
Section 5 contains main conclusions and further research directions.
