TY - GEN
T1 - Correlating processes for automatic memory evidence analysis
AU - Fu, Xiao
AU - Du, Xiaojiang
AU - Luo, Bin
AU - Shi, Jin
AU - Guan, Zhitao
AU - Wang, Yuhua
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2015/8/4
Y1 - 2015/8/4
N2 - Nowadays in order to process and store many kinds of multimedia data, the storage capability of memory has grown greatly. Moreover the widespread use of mobile devices and cloud computing has made criminal investigators often face a lot of memory dumps. They have to deal with a large quantity of memory data and complex OS data structures which they have little knowledge of. How to analyze memory evidence automatically in order to find hidden criminal behavior and reconstruct the criminal scenario in an understandable way has become an important problem. Current memory analysis methods usually aim at recovering certain data structures. The illegal behavior identification and the event reconstruction are still completed manually by investigators. This paper presents a novel method to correlate processes for automatic memory evidence analysis. Through analyzing key OS data structures and utilizing a clustering algorithm, it can discover the relationships among processes. And by describing these relationships as correlation graphs, our method can display evidence in a high semantic level. Some experiments have proved that these correlation graphs can help investigators find hidden criminal behavior and reconstruct the criminal scenarios.
AB - Nowadays in order to process and store many kinds of multimedia data, the storage capability of memory has grown greatly. Moreover the widespread use of mobile devices and cloud computing has made criminal investigators often face a lot of memory dumps. They have to deal with a large quantity of memory data and complex OS data structures which they have little knowledge of. How to analyze memory evidence automatically in order to find hidden criminal behavior and reconstruct the criminal scenario in an understandable way has become an important problem. Current memory analysis methods usually aim at recovering certain data structures. The illegal behavior identification and the event reconstruction are still completed manually by investigators. This paper presents a novel method to correlate processes for automatic memory evidence analysis. Through analyzing key OS data structures and utilizing a clustering algorithm, it can discover the relationships among processes. And by describing these relationships as correlation graphs, our method can display evidence in a high semantic level. Some experiments have proved that these correlation graphs can help investigators find hidden criminal behavior and reconstruct the criminal scenarios.
KW - clustering
KW - event reconstruction
KW - memory evidence analysis
KW - memory forensics
KW - processes correlation
UR - http://www.scopus.com/inward/record.url?scp=84943276376&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84943276376&partnerID=8YFLogxK
U2 - 10.1109/INFCOMW.2015.7179370
DO - 10.1109/INFCOMW.2015.7179370
M3 - Conference contribution
AN - SCOPUS:84943276376
T3 - Proceedings - IEEE INFOCOM
SP - 115
EP - 120
BT - 2015 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2015
T2 - IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2015
Y2 - 26 April 2015 through 1 May 2015
ER -