Paper Info
Title
The Effects of Platforms and Languages on the Memory Footprint of the Executable Program: A Memory Forensic Approach.
Abstract
Identifying the software used in a cybercrime can play a key role in establishing the evidence against the perpetrator in the court of law. This can be achieved by various means, one of which is to utilize the RAM contents. RAM comprises vital information about the current state of a system, including its running processes. Accordingly, the memory footprint of a process can be used as evidence about its usage. However, this evidence can be influenced by several factors. This paper evaluates three of these factors. First, it evaluates how the used programming language affects the evidence. Second, it evaluates how the used platform affects the evidence. Finally, it evaluates how the search for this evidence is influenced by the implicitly used encoding scheme. Our results should assist the investigator in its quest to identify the best amount of evidences about the used software based on its execution logic, host platform, language used, and the encoding of its string values. Results show that the amount of digital evidence is highly affected by these factors. For instance, the memory footprint of a Java based software is often more traceable than the footprints of languages such as C++ and C#. Moreover, the memory footprint of a C# program is more visible on Linux than it is on Windows or Mac OS. Hence, often software related values are successfully identified in RAM memory dumps even after the program is stopped.
Year
Venue
Keywords
2019
JOURNAL OF UNIVERSAL COMPUTER SCIENCE
Digital Forensics,Memory Forensics,Runtime Behavior,RAM Dumps
Field
DocType
Volume
Data mining,Software engineering,Computer science,Memory footprint,Executable
Journal
25
Issue
ISSN
Citations 
9
0948-695X
0
PageRank 
References 
Authors
0.34
0
5
Name
Order
Citations
PageRank
Ziad A. Al-Sharif100.34
Mohammed I. Al-Saleh200.34
Yaser Jararweh396888.95
Luay Alawneh400.34
Ahmed Shatnawi522.46