Poster: Post-Intrusion Memory Forensics Analysis

A yet-to-be-solved but very vital problem in forensics analysis is accurate memory dump data type reverse engineering where the target process is not a priori specified and could be any of the running processes within the system. We present a lightweight system-wide solution that extracts data type information from the memory dump without its past execution traces. Our proposed solution constructs the dump’s accurate data structure layout through collection of statistical information about possible past traces, forensics inspection of the present memory dump, and speculative investigation of potential future executions of the suspended process. First, the engine analyzes a heavily instrumented set of execution paths of the same executable that end in the same state of the memory dump (the eip and call stack), and collects statistical information the potential data structure instances on the captured dump. Second, the engine uses the statistical information and performs a word-by-word data type forensics inspection of the captured memory dump. Finally, the engine revives the dump’s execution and explores its potential future execution paths symbolically. It traces the executions including library/system calls for their known argument/return data types, and performs backward taint analysis to mark the dump bytes with relevant data type information. Our solution’s preliminary experimental results are very promising (98.1%), and show that it improves the accuracy of the past trace-free memory forensics solutions significantly while maintaining a negligible runtime performance overhead (1.8%).