95833 20231006143301.0 doi 10.1016/j.fsidi.2020.300917 sideral 118432 ART-2020-118432 eng Uroz, D. Universidad de Zaragoza (orcid)0000-0001-5484-2842 On Challenges in Verifying Trusted Executable Files in Memory Forensics 2020 Access copy available to the general public Unrestricted Memory forensics is a fundamental step in any security incident response process, especially in computer systems where malware may be present. Thememory of the system is acquired and then analyzed, looking for facts about the security incident. To remain stealthy and undetected in computer systems, malware are abusing the code signing technology, which helps to establish trust in computer software. Intuitively, a memory forensic analyst can think of code signing as a preliminary step to prioritize the list of processes to analyze. However, amemory dump does not contain an exact copy of an executable file (the file as stored in disk) and thus code signing may be useless in this context. In this paper, we investigate the limitations that memory forensics imposes to the digital signature verification process of Windows PE signed files obtained from a memory dump. These limitations are data incompleteness, data changes caused by relocation, catalog-signed files, and executable file and process inconsistencies. We also discuss solutions to these limitations. Moreover, we have developed a Volatility plugin named sigcheck that recovers executable files from a memory dump and computes its digital signature (if feasible). We tested it on Windows 7 x86 and x64 memory dumps. Our experiments showed that the success rate is low, especially when the memory is acquired from a system that has been running for a long time. info:eu-repo/grantAgreement/ES/DGA/T21-17R-DISCO info:eu-repo/grantAgreement/ES/MICIU/Medrese-RTI2018-098543-B-I00 info:eu-repo/semantics/openAccess by-nc-nd http://creativecommons.org/licenses/by-nc-nd/3.0/es/ 0.0 2020 COMPUTER SCIENCE, INTERDISCIPLINARY APPLICATIONS COMPUTER SCIENCE, INFORMATION SYSTEMS info:eu-repo/semantics/article info:eu-repo/semantics/publishedVersion Rodriguez, R.J. Universidad de Zaragoza (orcid)0000-0001-7982-0359 5007 570 Universidad de Zaragoza Dpto. Informát.Ingenie.Sistms. Área Lenguajes y Sistemas Inf. 32, S (2020), 300917 [10 pp] Forensic sci. int. digital invest. Forensic science international. Digital investigation 2666-2825 1134284 http://zaguan.unizar.es/record/95833/files/texto_completo.pdf Versión publicada 32608 http://zaguan.unizar.es/record/95833/files/texto_completo.jpg?subformat=icon icon Versión publicada oai:zaguan.unizar.es:95833 articulos driver 2023-10-06-14:06:52 ARTICLE