Digital Forensic Analysis on Runtime Instruction Flow
Digital Forensic Analysis on Runtime Instruction Flow
摘要
Computer system's runtime information is an essential part of the digital evidence. Current digital forensic approaches mainly focus on memory and I/O data, while the runtime instructions from processes are often ignored. We present a novel approach on runtime instruction forensic analysis and have developed a forensic system which collects instruction flow and extracts digital evidence. The system is based on whole-system emulation technique and analysts are allowed to define analysis strategy to improve analysis efficiency and reduce overhead. This forensic approach and system are applicable to binary code analysis, information retrieval and matware forensics.
参考文献13
-
1Anon. Bochs: the Open Source IA-32 Emulation Project [ EB/OL ]. http J/boc hs. sourc eforge.net.
-
2SHARIF M, LANZI A, GIFFIN J, et al. Automatic Reverse Engineering of Malware Emulators [C]// Proceedings of the 30th IEEE Symposium on Security and Privacy(ISSP). IEEE Press, 2009: 94-109.
-
3YIN H, SONG D. TEMU: Binary Code Analysis via Wholesystem Layered Annotative Execution [R]. Technical Report. Berkeley, 2010.
-
4MALIN C, CASEY E, AQUILINA J. Malware Forensics: Investigating and Analyzing Malicious Code [ M]. Syngress, 2008.
-
5DINABURG A, ROYAL P, SHARIF M, et al. Ether: Malware Analysis via Hardware Virtualization Extensions [C]// Proceedings of the 15th ACM Conference on Computer and Communications Security(CCS). New York: ACM, 2008: 51-62.
-
6MARTIGNONI A, PALEARI R, ROGLIA G, et al. Testing CPU Emulators [C]//Proceedings of the 18th International Symposium on Software Testing and Analysis. New York: ACM, 2009:261-272.
-
7Anon. What Is Windows PE? [EB/OL]. http://technet.microsoft.c om/en-us/library/dd799308 (WS. 10 ). aspx.
-
8Anon. SliTaz GNU/Linux [ EB/OL ]. http://www.slitaz. org/ en/.
-
9MAARTMANN-MOE C, THORKILDSEN S, ARNES A. The Persistence of Memory Forensic Identification and Extraction of Cryptographic Keys [J]. Digital Investiga- tion, 2009, 6(1): 132-140.
-
10Anon. FIPS 46-2-(DES), Data Encryption Standard[ EB/ OL]. http ://www. itl.nist. gov/fipspubs/fip46-2.htm.
-
1TIAN Zhihong,JIANG Wei,LI Yang.A Transductive Scheme Based Inference Techniques for Network Forensic Analysis[J].China Communications,2015,12(2):167-176. 被引量:1
-
2Jianlin Xu,Yifan Yu,Zhen Chen,Bin Cao,Wenyu Dong,Yu Guo,Junwei Cao.MobSafe:Cloud Computing Based Forensic Analysis for Massive Mobile Applications Using Data Mining[J].Tsinghua Science and Technology,2013,18(4):418-427. 被引量:2
-
3Zhen Chen,Fuye Han,Junwei Cao,Xin Jiang,Shuo Chen.Cloud Computing-Based Forensic Analysis for Collaborative Network Security Management System[J].Tsinghua Science and Technology,2013,18(1):40-50. 被引量:8
-
4Zhen Chen,Linyun Ruan,Junwei Cao,Yifan Yu,Xin Jiang.TIFAflow: Enhancing Traffic Archiving System with Flow Granularity for Forensic Analysis in Network Security[J].Tsinghua Science and Technology,2013,18(4):406-417. 被引量:3
