mrsh-mem: Approximate Matching on Raw Memory Dumps

Authors

Lorenz Liebler, University of Applied Sciences, Darmstadt, Germany
Frank Breitinger, University of New HavenFollow

Author URLs

Professor Breitinger's Faculty Profile

Professor Breitinger's web page

Document Type

Conference Proceeding

Publication Date

11-1-2018

Subject: LCSH

Digital forensic science, Computer crimes--investigation, Linux

Disciplines

Computer Engineering | Computer Sciences | Electrical and Computer Engineering

Abstract

This paper presents the fusion of two subdomains of digital forensics: (1) raw memory analysis and (2) approximate matching. Specifically, this paper describes a prototype implementation named MRSH-MEM that allows to compare hard drive images as well as memory dumps and therefore can answer the question if a particular program (installed on a hard drive) is currently running / loaded in memory. To answer this question, we only require both dumps or access to a public repository which provides the binaries to be tested. For our prototype, we modified an existing approximate matching algorithm named MRSH-NET and combined it with approxis, an approximate disassembler. Recent literature claims that approximate matching techniques are slow and hardly applicable to the field of memory forensics. Especially legitimate changes to executables in memory caused by the loader itself prevent the application of current bytewise approximate matching techniques. Our approach lowers the impact of modified code in memory and shows a good computational performance. During our experiments, we show how an investigator can leverage meaningful insights by combining data gained from a hard disk image and raw memory dumps with a practicability runtime performance. Lastly, our current implementation will be integrable into the volatility memory forensics framework and we introduce new possibilities for providing data driven cross validation functions. Our current proof of concept implementation supports Linux based raw memory dumps.

Comments

© © 2018 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

This is the authors' accepted version of the paper published by IEEE. The version of record can be found at http://dx.doi.org/10.1109/IMF.2018.00011.

This work was supported by the German Federal Ministry of Education and Research (BMBF) as well as by the Hessen State Ministry for Higher Education, Research and the Arts (HMWK) within CRISP (www.crisp-da.de).

DOI

10.1109/IMF.2018.00011

Repository Citation

Liebler, Lorenz and Breitinger, Frank, "mrsh-mem: Approximate Matching on Raw Memory Dumps" (2018). Electrical & Computer Engineering and Computer Science Faculty Publications. 85.
https://digitalcommons.newhaven.edu/electricalcomputerengineering-facpubs/85

Publisher Citation

Lorenz Liebler and Frank Breitinger. "mrsh-mem: Approximate Matching on Raw Memory Dumps". In: 2018 11th International Conference on IT Security Incident Management IT Forensics (IMF). 2018, pp. 47–64. Available from IEEE Xplore.