Open Access. Powered by Scholars. Published by Universities.®
Articles 1 - 5 of 5
Full-Text Articles in Entire DC Network
Improving Kernel Artifact Extraction In Linux Memory Samples Using The Slub Allocator, Daniel A. Donze
Improving Kernel Artifact Extraction In Linux Memory Samples Using The Slub Allocator, Daniel A. Donze
LSU Master's Theses
Memory forensics allows an investigator to analyze the volatile memory (RAM) of a computer, providing a view into the system state of the machine as it was running. Examples of items found in memory samples that are of interest to investigators are kernel data structures which can represent processes, files, and sockets. The SLUB allocator is the default small-request memory allocator for modern Linux systems. SLUB allocates “slabs”, which are contiguous sections of pre-allocated memory that are used to efficiently service allocation requests. The predecessor to SLUB, the SLAB allocator, tracked every slab it allocated, allowing extraction of allocated slabs …
Improving Memory Forensics Capabilities On Apple M1 Computers, Raphaela Santos Mettig Rocha
Improving Memory Forensics Capabilities On Apple M1 Computers, Raphaela Santos Mettig Rocha
LSU Master's Theses
Malware threats are rapidly evolving to use more sophisticated attacks. By abusing rich application APIs such as Objective-C’s, they are able to gather information about user activity, launch background processes without the user’s knowledge as well as perform other malicious activities. In some cases, memory forensics is the only way to recover artifacts related to this malicious activity, as is the case with memory-only execution. The introduction of the Rosetta 2 on the Apple M1 introduces a completely new attack surface by allowing binaries of both Intel x86 64 and ARM64 architecture to run in userland. For this reason it …
Using Memory Forensics To Analyze Programming Language Runtimes, Modhuparna Manna
Using Memory Forensics To Analyze Programming Language Runtimes, Modhuparna Manna
LSU Doctoral Dissertations
The continued increase in the use of computer systems in recent times has led to a significant rise in the capabilities of malware and attacker toolkits that target different operating systems and their users. Over the last several years, cybersecurity threat reports have documented numerous instances of users that were targeted by governments, intelligence agencies, and criminal groups, and the result was that the victims ended up having highly sophisticated malware installed on their systems. Unfortunately, the rise of these threats has not been met with equal research and development of defensive mechanisms that can detect and analyze such malware. …
Memory Forensics Comparison Of Apple M1 And Intel Architecture Using Volatility Framework, Joshua Duke
Memory Forensics Comparison Of Apple M1 And Intel Architecture Using Volatility Framework, Joshua Duke
LSU Master's Theses
Memory forensics allows an investigator to get a full picture of what is occurring on-device at the time that a memory sample is captured and is frequently used to detect and analyze malware. Malicious attacks have evolved from living on disk to having persistence mechanisms in the volatile memory (RAM) of a device and the information that is captured in memory samples contains crucial information for full forensic analysis by cybersecurity professionals. Recently, Apple unveiled computers containing a custom designed system on a chip (SoC) called the M1 that is based on ARM architecture. Our research focused on the differences …
Improving Memory Forensics Through Emulation And Program Analysis, Ryan Dominick Maggio
Improving Memory Forensics Through Emulation And Program Analysis, Ryan Dominick Maggio
LSU Doctoral Dissertations
Memory forensics is an important tool in the hands of investigators. However, determining if a computer is infected with malicious software is time consuming, even for experts. Tasks that require manual reverse engineering of code or data structures create a significant bottleneck in the investigative workflow. Through the application of emulation software and symbolic execution, these strains have been greatly lessened, allowing for faster and more thorough investigation. Furthermore, these efforts have reduced the barrier for forensic investigation, so that reasonable conclusions can be drawn even by non-expert investigators. While previously Volatility had allowed for the detection of malicious hooks …