Image-based kernel fingerprinting

The correct identification of operating system kernel versions is the first critical step in deep memory analysiseit enables the precise parsing of the kernel data structures and the correct interpretation of the observed system state. Identifying the exact kernel version is particularly challenging for open source operating systems where kernel upgrades are released frequently, and custom versions can be created on demand. State of the practice approaches, such as Volatility's, rely on small and fragile signatures; state of the art research work relies on intricate understanding of architecture-specific implementation details, which limits them to Intel x86 environments, and requires continuous updates to identify the distinguishing characteristics of new kernels. In contrast, our work builds robust signatures based solely on the content of the kernel images on disk, and is able to efficiently distinguish among incremental kernel version updates. The approach is entirely content-driven and requires no low-level analysis of the operation of the kernel. It utilizes an approximate matching toolesdhasheto extract kernel fingerprints, and can be applied across different architectures without the need to parse and interpret the RAM snapshot. In addition, our evaluation data which contains hundreds of kernels, provides insights into the typical levels of content similarity across related kernels. © 2014 Digital Forensics ResearchWorkshop. Published by Elsevier Ltd. All rights reserved.