Search Icon
Submissions

LogicMEM: Automatic Profile Generation for Binary-Only Memory Forensics via Logic Inference

Zhenxiao Qi (UC Riverside), Yu Qu (UC Riverside), Heng Yin (UC Riverside)

Memory forensic tools rely on the knowledge of kernel symbols and kernel object layouts to retrieve digital evidence and artifacts from memory dumps. This knowledge is called profile. Existing solutions for profile generation are either inconvenient or inaccurate. In this paper, we propose a logic inference approach to automatically generating a profile directly from a memory dump. It leverages the invariants existing in kernel data structures across all kernel versions and configurations to precisely locate forensics-required fields in kernel objects. We have implemented a prototype named LOGICMEM and evaluated it on memory dumps collected from mainstream Linux distributions, customized Linux kernels with random configurations, and operating systems designed for Android smartphones and embedded devices. The evaluation results show that the proposed logic inference approach is well-suited for locating forensics-required fields and achieves 100% precision and recall for mainstream Linux distributions and 100% precision and 95% recall for customized kernels with random configurations. Moreover, we show that false negatives can be eliminated with improved logic rules. We also demonstrate that LOGICMEM can generate profiles when it is otherwise difficult (if not impossible) for existing approaches, and support memory forensics tasks such as rootkit detection.

Paper
Video

View More Papers

Semantic-Informed Driver Fuzzing Without Both the Hardware Devices and...

Wenjia Zhao (Xi'an Jiaotong University and University of Minnesota), Kangjie Lu (University of Minnesota), Qiushi Wu (University of Minnesota), Yong Qi (Xi'an Jiaotong University)

Read More

ProvTalk: Towards Interpretable Multi-level Provenance Analysis in Networking Functions...

Azadeh Tabiban (CIISE, Concordia University, Montreal, QC, Canada), Heyang Zhao (CIISE, Concordia University, Montreal, QC, Canada), Yosr Jarraya (Ericsson Security Research, Ericsson Canada, Montreal, QC, Canada), Makan Pourzandi (Ericsson Security Research, Ericsson Canada, Montreal, QC, Canada), Mengyuan Zhang (Department of Computing, The Hong Kong Polytechnic University, China), Lingyu Wang (CIISE, Concordia University, Montreal, QC, Canada)

Read More

insecure:// Vulnerability Analysis of URI Scheme Handling in Android...

Abdulla Aldoseri (University of Birmingham) and David Oswald (University of Birmingham)

Read More

Forensic Analysis of Configuration-based Attacks

Muhammad Adil Inam (University of Illinois at Urbana-Champaign), Wajih Ul Hassan (University of Illinois at Urbana-Champaign), Ali Ahad (University of Virginia), Adam Bates (University of Illinois at Urbana-Champaign), Rashid Tahir (University of Prince Mugrin), Tianyin Xu (University of Illinois at Urbana-Champaign), Fareed Zaffar (LUMS)

Read More