Skip to main content
OSTI.GOVU.S. Department of Energy Office of Scientific and Technical Information
U.S. Department of Energy
Office of Scientific and Technical Information
 

The Evolution of Volatile Memory Forensics

Journal Article · · Journal of Cybersecurity and Privacy
DOI:https://doi.org/10.3390/jcp2030028· OSTI ID:1876935
; ; ; ; ; ;

The collection and analysis of volatile memory is a vibrant area of research in the cybersecurity community. The ever-evolving and growing threat landscape is trending towards fileless malware, which avoids traditional detection but can be found by examining a system’s random access memory (RAM). Additionally, volatile memory analysis offers great insight into other malicious vectors. It contains fragments of encrypted files’ contents, as well as lists of running processes, imported modules, and network connections, all of which are difficult or impossible to extract from the file system. For these compelling reasons, recent research efforts have focused on the collection of memory snapshots and methods to analyze them for the presence of malware. However, to the best of our knowledge, no current reviews or surveys exist that systematize the research on both memory acquisition and analysis. We fill that gap with this novel survey by exploring the state-of-the-art tools and techniques for volatile memory acquisition and analysis for malware identification. For memory acquisition methods, we explore the trade-offs many techniques make between snapshot quality, performance overhead, and security. For memory analysis, we examined the traditional forensic methods used, including signature-based methods, dynamic methods performed in a sandbox environment, as well as machine learning-based approaches. We summarize the currently available tools, and suggest areas for more research.

Sponsoring Organization:
USDOE
Grant/Contract Number:
AC52-07NA27344
OSTI ID:
1876935
Alternate ID(s):
OSTI ID: 1884642
OSTI ID: 1885656
Journal Information:
Journal of Cybersecurity and Privacy, Journal Name: Journal of Cybersecurity and Privacy Journal Issue: 3 Vol. 2; ISSN 2624-800X
Publisher:
MDPI AGCopyright Statement
Country of Publication:
Country unknown/Code not available
Language:
English

References (32)

Process based volatile memory forensics for ransomware detection journal October 2021
SandPrint: Fingerprinting Malware Sandboxes to Provide Intelligence for Sandbox Evasion book January 2016
MemScrimper: Time- and Space-Efficient Storage of Malware Sandbox Memory Dumps book January 2018
AMAL: High-fidelity, behavior-based automated malware analysis and classification journal July 2015
Catch them alive: A malware detection approach through memory forensics, manifold learning and computer vision journal April 2021
A survey of main memory acquisition and analysis techniques for the windows operating system journal July 2011
Vis: Virtualization enhanced live forensics acquisition for native system journal June 2012
Correctness, atomicity, and integrity: Defining criteria for forensically-sound memory acquisition journal November 2012
Anti-forensic resilient memory acquisition journal August 2013
Memory forensics: The path forward journal March 2017
Scanning memory with Yara journal March 2017
Gaslight: A comprehensive fuzzing architecture for memory forensics frameworks journal August 2017
A universal taxonomy and survey of forensic memory acquisition techniques journal March 2019
A lightweight live memory forensic approach based on hardware virtualization journal February 2017
A survey on machine learning-based malware detection in executable files journal January 2021
A Survey on Machine Learning Techniques for Cyber Security in the Last Decade journal January 2020
Automated RAM analysis mechanism for windows operating system for digital investigation conference November 2017
An Approach to Detect Fileless Malware and Defend its Evasive mechanisms conference December 2018
Memory forensics using virtual machine introspection for Malware analysis conference August 2017
An Automated Tool for Memory Forensics conference December 2019
Forensic analysis of windows user space applications through heap allocations conference July 2015
Comparative Analysis of Volatile Memory Forensics: Live Response vs. Memory Imaging
  • Aljaedi, Amer; Lindskog, Dale; Zavarsky, Pavol
  • 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust (PASSAT) / 2011 IEEE Third Int'l Conference on Social Computing (SocialCom), 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing https://doi.org/10.1109/PASSAT/SocialCom.2011.68
conference October 2011
VolMemLyzer: Volatile Memory Analyzer for Malware Classification using Feature Engineering conference May 2021
Secure, Consistent, and High-Performance Memory Snapshotting
  • Cox, Guilherme; Yan, Zi; Bhattacharjee, Abhishek
  • CODASPY '18: Eighth ACM Conference on Data and Application Security and Privacy, Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy https://doi.org/10.1145/3176258.3176325
conference March 2018
Volatile Memory Forensics Acquisition Efficacy: A Comparative Study Towards Analysing Firmware-Based Rootkits
  • Taylor, Jacob; Turnbull, Benjamin; Creech, Gideon
  • ARES 2018: International Conference on Availability, Reliability and Security, Proceedings of the 13th International Conference on Availability, Reliability and Security https://doi.org/10.1145/3230833.3232810
conference August 2018
Introducing the Temporal Dimension to Memory Forensics journal May 2019
Dynamic Malware Analysis in the Modern Era—A State of the Art Survey journal September 2020
Malware Dynamic Analysis Evasion Techniques: A Survey journal November 2020
A state-of-the-art survey of malware detection approaches using data mining techniques journal January 2018
A Survey of Malware Detection Techniques based on Machine Learning journal January 2019
Compression of Virtual-Machine Memory in Dynamic Malware Analysis journal January 2017
Malware detection using machine learning based analysis of virtual memory access patterns
  • Xu, Zhixing; Ray, Sayak; Subramanyan, Pramod
  • 2017 Design, Automation & Test in Europe Conference & Exhibition (DATE), Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017 https://doi.org/10.23919/DATE.2017.7926977
conference March 2017

Similar Records

Related Subjects