mrsh-mem: Approximate Matching on Raw Memory Dumps

back to overview

Reference

Liebler, L., & Breitinger, F. (2018). mrsh-mem: Approximate Matching on Raw Memory Dumps. Paper presented at the 11th International Conference on IT Security Incident Management & IT Forensics.

Publication type

Paper in Conference Proceedings

Abstract

This paper presents the fusion of two subdomains of digital forensics: (1) raw memory analysis and (2) approximate matching. Specifically, this paper describes a prototype implementation named MRSH-MEM that allows to compare hard drive images as well as memory dumps and therefore can answer the question if a particular program (installed on a hard drive) is currently running / loaded in memory. To answer this question, we only require both dumps or access to a public repository which provides the binaries to be tested. For our prototype, we modified an existing approximate matching algorithm named MRSH-NET and combined it with approxis, an approximate disassembler. Recent literature claims that approximate matching techniques are slow and hardly applicable to the field of memory forensics. Especially legitimate changes to executables in memory caused by the loader itself prevent the application of current bytewise approximate matching techniques. Our approach lowers the impact of modified code in memory and shows a good computational performance. During our experiments, we show how an investigator can leverage meaningful insights by combining data gained from a hard disk image and raw memory dumps with a practicability runtime performance. Lastly, our current implementation will be integrable into the Volatility memory forensics framework and we introduce new possibilities for providing data driven cross validation functions. Our current proof of concept implementation supports Linux based raw memory dumps.

Persons

Organizational Units

  • Institute of Information Systems
  • Hilti Chair for Data and Application Security

DOI

http://dx.doi.org/10.1109/IMF.2018.00011