Skip to main content
SpringerLink
Log in

Detection of Anti-forensics and Malware Applications in Volatile Memory Acquisition

  • Conference paper
  • First Online:
Advances and Trends in Artificial Intelligence. Theory and Practices in Artificial Intelligence (IEA/AIE 2022)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 13343))

  • 1637 Accesses

Abstract

Malicious software operating on a target system, whether malware or anti-forensic, can impede data collecting, processing, and testing in digital and cyber forensic research. VolMemLyzer was developed by Lashkari et al. to identify malware executing in memory dumps using machine learning techniques. The usage of VolMemLyzer to detect the presence of Malware or Anti-Forensic software using characteristics retrieved from a memory dump was expanded in this research. We also implemented the Multi-layer Perceptron, Random Forest, K-Nearest Neighbors, adaBoost, and Decision Tree machine learning models. The results demonstrated that the Multi-layer Perceptron can compete with Random Forest and K-Nearest Neighbors. We were also able to perform multi-classification to detect numerous, overlapping application types, and we added features to VolMemLyzer to expand its applicability to any profile supported by Volatility 2.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    http://www.rekall-forensic.com/.

  2. 2.

    https://github.com/volatilityfoundation/volatility.

References

  1. AlHarbi, R., AlZahrani, A., Bhat, W.A.: Forensic analysis of anti-forensic file-wiping tools on windows. J. Forensic Sci. (2021)

    Google Scholar 

  2. Aljaedi, A., Lindskog, D., Zavarsky, P., Ruhl, R., Almari, F.: Comparative analysis of volatile memory forensics: live response vs. memory imaging. In: 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing, pp. 1253–1258 (2011). https://doi.org/10.1109/PASSAT/SocialCom.2011.68

  3. Bhat, W.A., AlZahrani, A., Wani, M.A.: Can computer forensic tools be trusted in digital investigations? Sci. Justice 61(2), 198–203 (2021)

    Article  Google Scholar 

  4. Block, F., Dewald, A.: Windows memory forensics: detecting (un)intentionally hidden injected code by examining page table entries. Digit. Investig. 29, S3–S12 (2019)

    Article  Google Scholar 

  5. Botacin, M., Grégio, A., Alves, M.A.Z.: Near-memory & in-memory detection of fileless malware. In: The International Symposium on Memory Systems. MEMSYS 2020, pp. 23–38. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3422575.3422775

  6. Case, A., et al.: HookTracer: automatic detection and analysis of keystroke loggers using memory forensics. Comput. Secur. 96, 101872 (2020)

    Article  Google Scholar 

  7. Case, A., Richard, G.G.: Memory forensics: the path forward. Digit. Investig. 20, 23–33 (2017). https://doi.org/10.1016/j.diin.2016.12.004, https://www.sciencedirect.com/science/article/pii/S1742287616301529, special Issue on Volatile Memory Analysis

  8. Chan, E., Venkataraman, S., David, F., Chaugule, A., Campbell, R.: ForenScope: a framework for live forensics. In: Proceedings of the 26th Annual Computer Security Applications Conference. ACSAC 2010, pp. 307–316. Association for Computing Machinery, New York (2010). https://doi.org/10.1145/1920261.1920307

  9. Cheng, Y., Fu, X., Du, X., Luo, B., Guizani, M.: A lightweight live memory forensic approach based on hardware virtualization. Inf. Sci. 379, 23–41 (2017). https://doi.org/10.1016/j.ins.2016.07.019, https://www.sciencedirect.com/science/article/pii/S0020025516305011

  10. Handaya, W., Yusoff, M., Jantan, A.: Machine learning approach for detection of fileless cryptocurrency mining malware. J. Phys. Conf. Ser. 1450, 012075. IOP Publishing (2020)

    Google Scholar 

  11. Jeon, J., Park, J.H., Jeong, Y.S.: Dynamic analysis for IoT malware detection with convolution neural network model. IEEE Access 8, 96899–96911 (2020)

    Article  Google Scholar 

  12. Jerbi, M., Dagdia, Z.C., Bechikh, S., Said, L.B.: On the use of artificial malicious patterns for android malware detection. Comput. Secur. 92, 101743 (2020)

    Article  Google Scholar 

  13. Kawaguchi, N., Omote, K.: Malware function classification using APIs in initial behavior. In: 2015 10th Asia Joint Conference on Information Security, pp. 138–144. IEEE (2015)

    Google Scholar 

  14. Lashkari, A.H., Li, B., Carrier, T.L., Kaur, G.: Volmemlyzer: volatile memory analyzer for malware classification using feature engineering. In: 2021 Reconciling Data Analytics, Automation, Privacy, and Security: A Big Data Challenge (RDAAPS), pp. 1–8 (2021). https://doi.org/10.1109/RDAAPS48126.2021.9452028

  15. Lengyel, T.K., Neumann, J., Maresca, S., Payne, B.D., Kiayias, A.: Virtual machine introspection in a hybrid honeypot architecture. In: CSET (2012)

    Google Scholar 

  16. Liang, G., Pang, J., Dai, C.: A behavior-based malware variant classification technique. Int. J. Inf. Educ. Technol. 6(4), 291 (2016)

    Google Scholar 

  17. Lin, C.T., Wang, N.J., Xiao, H., Eckert, C.: Feature selection and extraction for malware classification. J. Inf. Sci. Eng. 31(3), 965–992 (2015)

    Google Scholar 

  18. Or-Meir, O., Nissim, N., Elovici, Y., Rokach, L.: Dynamic malware analysis in the modern era-a state of the art survey. ACM Comput. Surv. 52(5) (2019). https://doi.org/10.1145/3329786

  19. Palutke, R., Block, F., Reichenberger, P., Stripeika, D.: Hiding process memory via anti-forensic techniques. Forensic Sci. Int. Digit. Investig.‘ 33, 301012 (2020)

    Article  Google Scholar 

  20. Panker, T., Nissim, N.: Leveraging malicious behavior traces from volatile memory using machine learning methods for trusted unknown malware detection in Linux cloud environments. Knowl.-Based Syst. 226, 107095 (2021)

    Article  Google Scholar 

  21. Patil, D.N., Meshram, B.B.: Extraction of forensic evidences from windows volatile memory. In: 2017 2nd International Conference for Convergence in Technology (I2CT), pp. 421–425 (2017). https://doi.org/10.1109/I2CT.2017.8226164

  22. Pedregosa, F., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)

    MathSciNet  MATH  Google Scholar 

  23. Rathnayaka, C., Jamdagni, A.: An efficient approach for advanced malware analysis using memory forensic technique. In: 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 1145–1150. IEEE (2017)

    Google Scholar 

  24. Wani, M.A., AlZahrani, A., Bhat, W.A.: File system anti-forensics-types, techniques and tools. Comput. Fraud Secur. 2020(3), 14–19 (2020)

    Article  Google Scholar 

  25. Wüchner, T., Ochoa, M., Pretschner, A.: Robust and effective malware detection through quantitative data flow graph metrics. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 98–118. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_6

    Chapter  Google Scholar 

  26. Yunus, Y.K.B.M., Ngah, S.B.: Review of hybrid analysis technique for malware detection. In: IOP Conference Series: Materials Science and Engineering, vol. 769, p. 012075. IOP Publishing (2020)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Sam Houston State University, Huntsville, TX, 77340, USA

    Chandlor Ratcliffe, Biodoumoye George Bokolo, Damilola Oladimeji & Bing Zhou

Authors
  1. Chandlor Ratcliffe
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Biodoumoye George Bokolo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Damilola Oladimeji
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bing Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bing Zhou .

Editor information

Editors and Affiliations

  1. i-SOMET, Inc., Morioka-shi, Iwate, Japan

    Hamido Fujita

  2. College of Computer Science and Software Engineering, Shenzhen University, Shenzhen, Guangdong, China

    Philippe Fournier-Viger

  3. Texas State University, San Marcos, TX, USA

    Moonis Ali

  4. Shanghai University of Finance and Economics, Shanghai, China

    Yinglin Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ratcliffe, C., Bokolo, B.G., Oladimeji, D., Zhou, B. (2022). Detection of Anti-forensics and Malware Applications in Volatile Memory Acquisition. In: Fujita, H., Fournier-Viger, P., Ali, M., Wang, Y. (eds) Advances and Trends in Artificial Intelligence. Theory and Practices in Artificial Intelligence. IEA/AIE 2022. Lecture Notes in Computer Science(), vol 13343. Springer, Cham. https://doi.org/10.1007/978-3-031-08530-7_44

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-08530-7_44

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-08529-1

  • Online ISBN: 978-3-031-08530-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation