Go home now Header Background Image
Search
Submission Procedure
share: |
Special Issues
Submission Procedure
Aims and Scope
Board of Editors
What's New
 
Follow us
 
Articles by Topics
Articles by Author
Geographical Mashup
List of Topics
 
Printed Publications
 
Volume 26 (2020)
Issue 1
Issue 2
Issue 3
Issue 4
Issue 5
Issue 6
Issue 7
Issue 8
Issue 9
Issue 10
Issue 11
Volume 25 (2019)
Volume 24 (2018)
Volume 23 (2017)
Volume 22 (2016)
Volume 21 (2015)
Volume 20 (2014)
Volume 19 (2013)
Volume 18 (2012)
Volume 17 (2011)
Volume 16 (2010)
Volume 15 (2009)
Volume 14 (2008)
Volume 13 (2007)
Volume 12 (2006)
Volume 11 (2005)
Volume 10 (2004)
Volume 9 (2003)
Volume 8 (2002)
Volume 7 (2001)
Volume 6 (2000)
Volume 5 (1999)
Volume 4 (1998)
Volume 3 (1997)
Volume 2 (1996)
Volume 1 (1995)
Volume 0 (1994)
 
Collection of other papers
Volume 26 / Issue 7

available in:   PDF (2 MB) PS (2 MB)
 
get:  
Similar Docs BibTeX   Write a comment
  
get:  
Links into Future

 

Utilizing Debugging Information of Applications in Memory Forensics

Mohammed I. Al-Saleh (Jordan University of Science and Technology, Jordan)

Ethar Qawasmeh (Jordan University of Science and Technology, Jordan)

Ziad A. Al-Sharif (Jordan University of Science and Technology, Jordan)

Abstract: The rapid development in the digital world has contributed to the dramatic increase in the number of cybercrimes. An application's volatile data that is kept in memory (RAM) could give clues on how a criminal has been using the application up to acquisition time. Unfortunately, application-level memory forensics has been conducted in an ad hoc manner because a forensic investigator has to come up with a new technique for a new application. This process has become problematic and exhausting. This paper proposes a general solution to investigate any application in memory. We heavily utilize applications' debugging information generated by compilers in our solution. Furthermore, we extend Volatility [Walters, 2007], an open-source memory forensic framework, by developing and integrating a plugin to investigate applications in memory. We design several experiments to evaluate the effectiveness of our plugin. Interestingly, our plugin can parse debugging information and extract variables' names and data types regardless of their scope and complexity. In addition, we experimented with a real world application and succeeded in collecting vital information out of it. By accurately computing the Virtual Addresses (VA) of variables along with their allocated memory sizes based on their types, we are able to extract their values out of memory. In addition, we trace call stacks as per threads to extract local variables' values. Finally, direct and indirect pointers are successfully dereferenced.

Keywords: application forensics, debugging information, memory forensics

Categories: D.4.1, D.4.6, D.4.9