TY - JOUR
T1 - Data correlation-based analysis methods for automatic memory forensic
AU - Fu, X.
AU - Du, X.
AU - Luo, B.
N1 - Publisher Copyright:
© 2015 John Wiley & Sons, Ltd.
PY - 2015/12/1
Y1 - 2015/12/1
N2 - Memory forensics is an important technique for protecting network security and fighting against computer crimes. It has developed greatly in the past decade, because memory can provide more reliable information that other evidence sources do not contain. However, nowadays, when investigating network criminal cases, the Gigabyte (GB) and even Terabyte (TB) level memory and many such dumps have made memory analysis a difficult task. And investigators usually have to deal with complex operating system (OS) data structures, which they have little knowledge of. So how to analyze memory evidence automatically so as to find the hidden criminal behavior and reconstruct the scenario in an understandable way has become an important problem. This paper presents an automatic memory analysis methodology based on data correlation. Through analyzing key OS data structures and utilizing a clustering algorithm, this methodology can discover the relationships among processes, files, users, Dynamic-link library (DLLs), and network connections. By describing these relationships as correlation graphs, our methods can reorganize these independent memory evidences and disclose their meanings in a high semantic level. Experiments have proved that these correlation graphs can help investigators find hidden criminal behavior and reconstruct the criminal scenarios. And as we know, now, little work is in this field.
AB - Memory forensics is an important technique for protecting network security and fighting against computer crimes. It has developed greatly in the past decade, because memory can provide more reliable information that other evidence sources do not contain. However, nowadays, when investigating network criminal cases, the Gigabyte (GB) and even Terabyte (TB) level memory and many such dumps have made memory analysis a difficult task. And investigators usually have to deal with complex operating system (OS) data structures, which they have little knowledge of. So how to analyze memory evidence automatically so as to find the hidden criminal behavior and reconstruct the scenario in an understandable way has become an important problem. This paper presents an automatic memory analysis methodology based on data correlation. Through analyzing key OS data structures and utilizing a clustering algorithm, this methodology can discover the relationships among processes, files, users, Dynamic-link library (DLLs), and network connections. By describing these relationships as correlation graphs, our methods can reorganize these independent memory evidences and disclose their meanings in a high semantic level. Experiments have proved that these correlation graphs can help investigators find hidden criminal behavior and reconstruct the criminal scenarios. And as we know, now, little work is in this field.
KW - Clustering
KW - Event reconstruction
KW - Memory evidences analysis
KW - Memory forensics
KW - Process correlation
UR - http://www.scopus.com/inward/record.url?scp=84959311443&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84959311443&partnerID=8YFLogxK
U2 - 10.1002/sec.1337
DO - 10.1002/sec.1337
M3 - Article
AN - SCOPUS:84959311443
SN - 1939-0114
VL - 8
SP - 4213
EP - 4226
JO - Security and Communication Networks
JF - Security and Communication Networks
IS - 18
ER -