Abstract
Malicious software operating on a target system, whether malware or anti-forensic, can impede data collecting, processing, and testing in digital and cyber forensic research. VolMemLyzer was developed by Lashkari et al. to identify malware executing in memory dumps using machine learning techniques. The usage of VolMemLyzer to detect the presence of Malware or Anti-Forensic software using characteristics retrieved from a memory dump was expanded in this research. We also implemented the Multi-layer Perceptron, Random Forest, K-Nearest Neighbors, adaBoost, and Decision Tree machine learning models. The results demonstrated that the Multi-layer Perceptron can compete with Random Forest and K-Nearest Neighbors. We were also able to perform multi-classification to detect numerous, overlapping application types, and we added features to VolMemLyzer to expand its applicability to any profile supported by Volatility 2.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
AlHarbi, R., AlZahrani, A., Bhat, W.A.: Forensic analysis of anti-forensic file-wiping tools on windows. J. Forensic Sci. (2021)
Aljaedi, A., Lindskog, D., Zavarsky, P., Ruhl, R., Almari, F.: Comparative analysis of volatile memory forensics: live response vs. memory imaging. In: 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing, pp. 1253–1258 (2011). https://doi.org/10.1109/PASSAT/SocialCom.2011.68
Bhat, W.A., AlZahrani, A., Wani, M.A.: Can computer forensic tools be trusted in digital investigations? Sci. Justice 61(2), 198–203 (2021)
Block, F., Dewald, A.: Windows memory forensics: detecting (un)intentionally hidden injected code by examining page table entries. Digit. Investig. 29, S3–S12 (2019)
Botacin, M., Grégio, A., Alves, M.A.Z.: Near-memory & in-memory detection of fileless malware. In: The International Symposium on Memory Systems. MEMSYS 2020, pp. 23–38. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3422575.3422775
Case, A., et al.: HookTracer: automatic detection and analysis of keystroke loggers using memory forensics. Comput. Secur. 96, 101872 (2020)
Case, A., Richard, G.G.: Memory forensics: the path forward. Digit. Investig. 20, 23–33 (2017). https://doi.org/10.1016/j.diin.2016.12.004, https://www.sciencedirect.com/science/article/pii/S1742287616301529, special Issue on Volatile Memory Analysis
Chan, E., Venkataraman, S., David, F., Chaugule, A., Campbell, R.: ForenScope: a framework for live forensics. In: Proceedings of the 26th Annual Computer Security Applications Conference. ACSAC 2010, pp. 307–316. Association for Computing Machinery, New York (2010). https://doi.org/10.1145/1920261.1920307
Cheng, Y., Fu, X., Du, X., Luo, B., Guizani, M.: A lightweight live memory forensic approach based on hardware virtualization. Inf. Sci. 379, 23–41 (2017). https://doi.org/10.1016/j.ins.2016.07.019, https://www.sciencedirect.com/science/article/pii/S0020025516305011
Handaya, W., Yusoff, M., Jantan, A.: Machine learning approach for detection of fileless cryptocurrency mining malware. J. Phys. Conf. Ser. 1450, 012075. IOP Publishing (2020)
Jeon, J., Park, J.H., Jeong, Y.S.: Dynamic analysis for IoT malware detection with convolution neural network model. IEEE Access 8, 96899–96911 (2020)
Jerbi, M., Dagdia, Z.C., Bechikh, S., Said, L.B.: On the use of artificial malicious patterns for android malware detection. Comput. Secur. 92, 101743 (2020)
Kawaguchi, N., Omote, K.: Malware function classification using APIs in initial behavior. In: 2015 10th Asia Joint Conference on Information Security, pp. 138–144. IEEE (2015)
Lashkari, A.H., Li, B., Carrier, T.L., Kaur, G.: Volmemlyzer: volatile memory analyzer for malware classification using feature engineering. In: 2021 Reconciling Data Analytics, Automation, Privacy, and Security: A Big Data Challenge (RDAAPS), pp. 1–8 (2021). https://doi.org/10.1109/RDAAPS48126.2021.9452028
Lengyel, T.K., Neumann, J., Maresca, S., Payne, B.D., Kiayias, A.: Virtual machine introspection in a hybrid honeypot architecture. In: CSET (2012)
Liang, G., Pang, J., Dai, C.: A behavior-based malware variant classification technique. Int. J. Inf. Educ. Technol. 6(4), 291 (2016)
Lin, C.T., Wang, N.J., Xiao, H., Eckert, C.: Feature selection and extraction for malware classification. J. Inf. Sci. Eng. 31(3), 965–992 (2015)
Or-Meir, O., Nissim, N., Elovici, Y., Rokach, L.: Dynamic malware analysis in the modern era-a state of the art survey. ACM Comput. Surv. 52(5) (2019). https://doi.org/10.1145/3329786
Palutke, R., Block, F., Reichenberger, P., Stripeika, D.: Hiding process memory via anti-forensic techniques. Forensic Sci. Int. Digit. Investig.‘ 33, 301012 (2020)
Panker, T., Nissim, N.: Leveraging malicious behavior traces from volatile memory using machine learning methods for trusted unknown malware detection in Linux cloud environments. Knowl.-Based Syst. 226, 107095 (2021)
Patil, D.N., Meshram, B.B.: Extraction of forensic evidences from windows volatile memory. In: 2017 2nd International Conference for Convergence in Technology (I2CT), pp. 421–425 (2017). https://doi.org/10.1109/I2CT.2017.8226164
Pedregosa, F., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)
Rathnayaka, C., Jamdagni, A.: An efficient approach for advanced malware analysis using memory forensic technique. In: 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 1145–1150. IEEE (2017)
Wani, M.A., AlZahrani, A., Bhat, W.A.: File system anti-forensics-types, techniques and tools. Comput. Fraud Secur. 2020(3), 14–19 (2020)
Wüchner, T., Ochoa, M., Pretschner, A.: Robust and effective malware detection through quantitative data flow graph metrics. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 98–118. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_6
Yunus, Y.K.B.M., Ngah, S.B.: Review of hybrid analysis technique for malware detection. In: IOP Conference Series: Materials Science and Engineering, vol. 769, p. 012075. IOP Publishing (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Ratcliffe, C., Bokolo, B.G., Oladimeji, D., Zhou, B. (2022). Detection of Anti-forensics and Malware Applications in Volatile Memory Acquisition. In: Fujita, H., Fournier-Viger, P., Ali, M., Wang, Y. (eds) Advances and Trends in Artificial Intelligence. Theory and Practices in Artificial Intelligence. IEA/AIE 2022. Lecture Notes in Computer Science(), vol 13343. Springer, Cham. https://doi.org/10.1007/978-3-031-08530-7_44
Download citation
DOI: https://doi.org/10.1007/978-3-031-08530-7_44
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-08529-1
Online ISBN: 978-3-031-08530-7
eBook Packages: Computer ScienceComputer Science (R0)