Engineering Commons^™

Mrsh-Mem: Approximate Matching On Raw Memory Dumps, Lorenz Liebler, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

This paper presents the fusion of two subdomains of digital forensics: (1) raw memory analysis and (2) approximate matching. Specifically, this paper describes a prototype implementation named MRSH-MEM that allows to compare hard drive images as well as memory dumps and therefore can answer the question if a particular program (installed on a hard drive) is currently running / loaded in memory. To answer this question, we only require both dumps or access to a public repository which provides the binaries to be tested. For our prototype, we modified an existing approximate matching algorithm named MRSH-NET and combined it with …