Skip to Main content Skip to Navigation

Advances in memory forensics

Abstract : The adoption of memory forensics - the art of extracting artifacts from the volatile memory of a compromised system - is spreading in cyber-security investigations. The main reason of this enthusiasm comes from the fact that many artifacts can not be found elsewhere. In this way, the forensics analysts can gain the big picture over a malicious behavior. Nevertheless, memory forensics is less than two decades old: many challenges are unsolved and many questions are unanswered. This thesis gives a new perspective over three of these problems. The first contribution studies the effects non-atomic acquisition methods. The root cause of this problem is quite straightforward to explain: while the memory is acquired, user and kernel processes are running and therefore modifying the content of the memory. For this reason, the resulting memory dump does not represent the state of the memory in a given point in time, but rather a mix of multiple points. The second contribution focus on automatically extracting a forensics profile from a memory dump. Having a valid profile is a strong requirement for memory analysis because without one any structured memory forensics technique can be applied. Therefore, this problem effectively prevents memory forensics to be applied in those scenarios where creating a profile is harder -- if not impossible. The third and last contribution of this thesis aims to change how forensics rules, better known as plugins, are created. Nowadays, these rules are manually written by kernel experts and forensics practitioners. Unfortunately, this manual approach does not have any guarantee on the quality or on the uniqueness of these rules.
Document type :
Complete list of metadata
Contributor : ABES STAR :  Contact
Submitted on : Friday, February 12, 2021 - 5:21:36 PM
Last modification on : Sunday, June 26, 2022 - 9:39:16 AM
Long-term archiving on: : Friday, May 14, 2021 - 9:34:17 AM


Version validated by the jury (STAR)


  • HAL Id : tel-03140355, version 1


Fabio Pagani. Advances in memory forensics. Performance [cs.PF]. Sorbonne Université, 2019. English. ⟨NNT : 2019SORUS299⟩. ⟨tel-03140355⟩



Record views


Files downloads