Abstract | ||
---|---|---|
Memory forensics plays an important role in security and forensic investigations. Hence, numerous studies have investigated Windows memory forensics, and considerable progress has been made. In contrast, research on Linux memory forensics is relatively sparse, and the current knowledge does not meet the requirements of forensic investigators. Existing solutions are not especially sophisticated, and their complicated operation and limited treatment range are unsatisfactory. This paper describes an adaptive approach for Linux memory analysis that can automatically identify the kernel version and recovery symbol information from an image. In particular, given a memory image or a memory snapshot without any additional information, the proposed technique can automatically reconstruct the kernel code, identify the kernel version, recover symbol table files, and extract live system information. Experimental results indicate that our method runs satisfactorily across a wide range of operating system versions. |
Year | DOI | Venue |
---|---|---|
2016 | 10.1186/s13635-016-0038-z | EURASIP J. Information Security |
Keywords | Field | DocType |
Memory forensics, Linux memory analysis, Kernel symbol | sysfs,Memory forensics,Shared memory,Computer security,Computer science,Distributed memory,Theoretical computer science,Memory map,Flat memory model,Memory footprint,Overlay | Journal |
Volume | Issue | ISSN |
2016 | 1 | 1687-417X |
Citations | PageRank | References |
2 | 0.38 | 13 |
Authors | ||
3 |
Name | Order | Citations | PageRank |
---|---|---|---|
Shuhui Zhang | 1 | 32 | 4.82 |
Xiangxu Meng | 2 | 308 | 60.76 |
Lianhai Wang | 3 | 18 | 2.69 |