Universidad de Zaragoza Repository

Resumen: A memory dump contains the current state of a system's physical memory at the time of its acquisition. Among other things, it contains the processes that were running at the time of acquisition. These processes can share certain functionalities provided by shared object files, which are internally represented by modules in Windows. However, each process only maps in its address space the functionalities it needs, and not the entire shared object file. In this way, the current tools for extracting modules from existing processes in a memory dump from a Windows system obtain the partial content of a shared object file instead of the entire file. In this paper we present two tools, dubbed Modex and Intermodex, which are built on top of the Volatility 3 framework. These tools allow a forensic analyst to extract a 64-bit module from one or more Windows memory dumps as completely as possible. To achieve this, they aggregate the contents of the same module loaded by multiple processes that were running in the same memory dump or in different dumps (we called it intradump and interdump, respectively). Additionally, we also show how our developed tools are useful to detect dynamic-link library (DLL) hijacking attacks, a widely used attack on Windows where attackers trick processes into loading a malicious DLL instead of the benign one.
Idioma: Inglés
DOI: 10.1016/j.fsidi.2023.301505
Año: 2023
Publicado en: Forensic science international. Digital investigation 44 Supplement (2023), 301505 [8 pp.]
ISSN: 2666-2825
Factor impacto JCR: 2.0 (2023)
Categ. JCR: COMPUTER SCIENCE, INTERDISCIPLINARY APPLICATIONS rank: 106 / 170 = 0.624 (2023) - Q3 - T2
Categ. JCR: COMPUTER SCIENCE, INFORMATION SYSTEMS rank: 152 / 250 = 0.608 (2023) - Q3 - T2
Factor impacto CITESCORE: 5.9 - Pathology and Forensic Medicine (Q1) - Law (Q1) - Medical Laboratory Technology (Q1) - Information Systems (Q2) - Computer Science Applications (Q2)

Factor impacto SCIMAGO: 0.808 - Law (Q1) - Medical Laboratory Technology (Q1) - Pathology and Forensic Medicine (Q1) - Information Systems (Q2) - Computer Science Applications (Q2)

Financiación: info:eu-repo/grantAgreement/ES/DGA/T21-20R-DISCO
Financiación: info:eu-repo/grantAgreement/EUR/MICINN/TED2021-131115A-I00
Tipo y forma: Article (Published version)
Área (Departamento): Área Lenguajes y Sistemas Inf. (Dpto. Informát.Ingenie.Sistms.)

You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. You may not use the material for commercial purposes. If you remix, transform, or build upon the material, you may not distribute the modified material.

Exportado de SIDERAL (2024-11-22-12:01:29)


Visitas y descargas

Este artículo se encuentra en las siguientes colecciones:
Articles > Artículos por área > Lenguajes y Sistemas Informáticos