Abstract
Computer system’s runtime information is an essential part of the digital evidence. Current digital forensic approaches mainly focus on memory and I/O data, while the runtime instructions from processes are often ignored. We present a novel approach on runtime instruction forensic analysis and have developed a forensic system which collects instruction flow and extracts digital evidence. The system is based on whole-system emulation technique and analysts are allowed to define analysis strategy to improve analysis efficiency and reduce overhead. This forensic approach and system are applicable to binary code analysis, information retrieval and malware forensics.
Supported by SafeNet Northeast Asia grant awards.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bellard, F.: QEMU, a fast and portable dynamic translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, p. 41 (2010)
bochs: The Open Source IA-32 Emulation Project, http://bochs.sourceforge.net
FIPS 46-2 - (DES), Data Encryption Standard, http://www.itl.nist.gov/fipspubs/fip46-2.htm
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 51–62 (2008)
Maartmann-Moe, C., Thorkildsen, S., Årnes, A.: The persistence of memory Forensic identification and extraction of cryptographic keys. Digital Investigation 6 (supplement 1), 132–140 (2009)
Malin, C., Casey, E., Aquilina, J.: Malware forensics: investigating and analyzing malicious code. Syngress (2008)
Martignoni, A., Paleari, R., Roglia, G., Bruschi, D.: Testing CPU emulators. In: Proceedings of the Eighteenth International Symposium on Software Testing and Analysis, pp. 261–272 (2009)
Petroni, N., Walters, A., Fraser, T., Arbaugh, W.: FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation 3(4), 197–210 (2006)
Seiferta, C., Steensona, R., Welcha, I., Komisarczuka, P., Popovskyb, B.: Capture - A behavioral analysis tool for applications and documents. Digital Investigation 4 (supplement 1), 23–30 (2007)
Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic Reverse Engineering of Malware Emulators. In: 30th IEEE Symposium on Security and Privacy, pp. 94–109 (2009)
SliTaz GNU/Linux (en), http://www.slitaz.org/en/
What Is Windows PE?, http://technet.microsoft.com/en-us/library/dd799308WS.10.aspx
Yin, H., Song, D.: TEMU: Binary Code Analysis via WholeSystem Layered Annotative Execution. Submitted to: VEE 2010, Pittsburgh, PA, USA (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Li, J., Gu, D., Deng, C., Luo, Y. (2011). Digital Forensic Analysis on Runtime Instruction Flow. In: Lai, X., Gu, D., Jin, B., Wang, Y., Li, H. (eds) Forensics in Telecommunications, Information, and Multimedia. e-Forensics 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 56. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23602-0_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-23602-0_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23601-3
Online ISBN: 978-3-642-23602-0
eBook Packages: Computer ScienceComputer Science (R0)