• Title/Summary/Keyword: memory dump

Search Result 9, Processing Time 0.021 seconds

The Windows Physical Memory Dump Explorer for Live Forensics (라이브 포렌식을 위한 윈도우즈 물리 메모리 분석 도구)

  • Han, Ji-Sung;Lee, Sang-Jin
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.21 no.2
    • /
    • pp.71-82
    • /
    • 2011
  • Live data in physical memory can be acquired by live forensics but not by harddisk file-system analysis. Therefore, in case of forensic investigation, live forensics is widely used these days. But, existing live forensic methods, that use command line tools in live system, have many weaknesses; for instance, it is not easy to re-analyze and results can be modified by malicious code. For these reasons, in this paper we explain the Windows kernel architecture and how to analyze physical memory dump files to complement weaknesses of traditional live forensics. And then, we design and implement the Physical Memory Dump Explorer, and prove the effectiveness of our tool through test results.

Memory Dump of Automated Malware Analysis System based on Real Machine (실머신 기반 악성코드 자동 분석 시스템에서의 메모리 덤프)

  • Na, Jaechan;Kim, Hyunwoo;Jo, Younghun;Youn, Jonghee M.
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2014.04a
    • /
    • pp.429-430
    • /
    • 2014
  • 쿠쿠 샌드박스(Cuckoo Sandbox)는 가상머신을 이용해 악성코드를 효율적으로 분석할 수 있는 도구이다. 가상머신에서 동작하기 때문에 악성코드에 거상머신 탐지기법(VM Detect)이 있다면, 분석을 하는데 어려움이 있다. 이러한 경우 악성코드를 분석하기 위해 실머신 기반에서 분석이 가능하도록 구현하고, 구현 과정에서 메모리 덤프(Memory Dump)문제가 존재한다. 이전 방식은 가상머신 소프트웨어들이 메모리 덤프 파일을 따로 만들고 해당 파일을 분석하였지만, 실머신에서는 메모리파일을 따로 가지지 않는다. 이러한 문제를 해결하기 위해 실머신에서는 어떻게 메모리덤프 문제를 해결할 수 있는지를 알아보고 덤프를 하였을 때, 가상머신과 실머신에서 어떤 차이점이 나타나는지 알아보고자 한다.

The Study on Software Tamper Resistance for Securing Game Services (게임 서비스 보호를 위한 소프트웨어 위변조 방지기술 연구)

  • Chang, Hang-Bae;Kang, Jong-Gu;Joe, Tae-Hee
    • Journal of Korea Multimedia Society
    • /
    • v.12 no.8
    • /
    • pp.1120-1127
    • /
    • 2009
  • The commensurate number of the attacks and infringement targeting a vulnerability of the game service has been increasing constantly, due to the dramatic growth and expansion of the impact of the game industry. However, there exist no subsequent researches for the differentiated technology, which is to prevent the reverse function of the game service. Therefore, in this study, we examined the current status of infringement toward online game services which are provided in the market currently and designed the proper technical measures for a manipulation of the game service which is the most vulnerable part. We have encrypted an execution file and decrypted it in real time process. Furthermore, we conducted debugging, disassemble, and prevented a its own memory dump, also concealed the information to overcome the module dependency to preclude a manipulation.

  • PDF

A Study of Memory Information Collection and Analysis in a view of Digital Forensic in Window System (윈도우 시스템에서 디지털 포렌식 관점의 메모리 정보 수집 및 분석 방법에 관한 고찰)

  • Lee Seok-Hee;Kim Hyun-Sang;Lim JongIn;Lee SangJin
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.16 no.1
    • /
    • pp.87-96
    • /
    • 2006
  • In this paper, we examine general digital evidence collection process which is according to RFC3227 document[l], and establish specific steps for memory information collection. Besides, we include memory dump process to existing digital evidence collection process, and examine privacy information through dumping real user's memory and collecting pagefile which is part of virtual memory system. Especially, we discovered sensitive data which is like password and userID that exist in the half of pagefiles. Moreover, we suggest each analysis technique and computer forensic process for memory information and virtual memory.

Research on User Data Leakage Prevention through Memory Initialization (메모리 초기화를 이용한 사용자 데이터 유출 방지에 관한 연구)

  • Yang, Dae-Yeop;Chung, Man-Hyun;Cho, Jae-Ik;Shon, Tae-Shik;Moon, Jong-Sub
    • Journal of the Institute of Electronics Engineers of Korea TC
    • /
    • v.49 no.7
    • /
    • pp.71-79
    • /
    • 2012
  • As advances in computer technology, dissemination of smartphones and tablet PCs has increased and digital media has become easily accessible. The performance of computer hardware is improved and the form of hardware is changed, but basically the change in mechanism was not occurred. Typically, the data used in the program is resident in memory during the operation because of the operating system efficiency. So, these data in memory is accessible through the memory dumps or real-time memory analysis. The user's personal information or confidential data may be leaked by exploiting data; thus, the countermeasures should be provided. In this paper, we proposed the method that minimizes user's data leakage through finding the physical memory address of the process using virtual memory address, and initializing memory data of the process.

Computationally Efficient Instance Memory Monitoring Scheme for a Security-Enhanced Cloud Platform (클라우드 보안성 강화를 위한 연산 효율적인 인스턴스 메모리 모니터링 기술)

  • Choi, Sang-Hoon;Park, Ki-Woong
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.4
    • /
    • pp.775-783
    • /
    • 2017
  • As interest in cloud computing grows, the number of users using cloud computing services is increasing. However, cloud computing technology has been steadily challenged by security concerns. Therefore, various security breaches are springing up to enhance the system security for cloud services users. In particular, research on detection of malicious VM (Virtual Machine) is actively underway through the introspecting virtual machines on the cloud platform. However, memory analysis technology is not used as a monitoring tool in the environments where multiple virtual machines are run on a single server platform due to obstructive monitoring overhead. As a remedy to the challenging issue, we proposes a computationally efficient instance memory introspection scheme to minimize the overhead that occurs in memory dump and monitor it through a partial memory monitoring based on the well-defined kernel memory map library.

A study on Memory Analysis Bypass Technique and Kernel Tampering Detection (메모리 분석 우회 기법과 커널 변조 탐지 연구)

  • Lee, Haneol;Kim, Huy Kang
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.31 no.4
    • /
    • pp.661-674
    • /
    • 2021
  • Malware, such as a rootkit that modifies the kernel, can adversely affect the analyst's judgment, making the analysis difficult or impossible if a mechanism to evade memory analysis is added. Therefore, we plan to preemptively respond to malware such as rootkits that bypass detection through advanced kernel modulation in the future. To this end, the main structure used in the Windows kernel was analyzed from the attacker's point of view, and a method capable of modulating the kernel object was applied to modulate the memory dump file. The result of tampering is confirmed through experimentation that it cannot be detected by memory analysis tool widely used worldwide. Then, from the analyst's point of view, using the concept of tamper resistance, it is made in the form of software that can detect tampering and shows that it is possible to detect areas that are not detected by existing memory analysis tools. Through this study, it is judged that it is meaningful in that it preemptively attempted to modulate the kernel area and derived insights to enable precise analysis. However, there is a limitation in that the necessary detection rules need to be manually created in software implementation for precise analysis.

Dynamic Monitoring Framework and Debugging System for Embedded Virtualization System (가상화 환경에서 임베디드 시스템을 위한 모니터링 프레임워크와 디버깅 시스템)

  • Han, Inkyu;Lim, Sungsoo
    • KIISE Transactions on Computing Practices
    • /
    • v.21 no.12
    • /
    • pp.792-797
    • /
    • 2015
  • Effective profiling diagnoses the failure of the system and informs risk. If a failure in the target system occurs, it is impossible to diagnose more than one of the exiting tools. In this respect, monitoring of the system based on virtualization is useful. We present in this paper a monitoring framework that uses the characteristics of hardware virtualization to prevent side-effects from a target guest, and uses dynamic binary instrumentation with instruction-level trapping based on hardware virtualization to achieve efficiency and flexibility. We also present examples of some applications that use this framework. The framework provides tracing of guest kernel function, memory dump, and debugging that uses GDB stub with GDB remote protocol. The experimental evaluation of our prototype shows that the monitoring framework incurs at most 2% write memory performance overhead for end users.

The Authentication and Key Management Method based on PUF for Secure USB (PUF 기반의 보안 USB 인증 및 키 관리 기법)

  • Lee, Jonghoon;Park, Jungsoo;Jung, Seung Wook;Jung, Souhwan
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.38B no.12
    • /
    • pp.944-953
    • /
    • 2013
  • Recently, a storage media is becoming smaller and storage capacity is also becoming larger than before. However, important data was leaked through a small storage media. To solve these serious problem, many security companies manufacture secure USBs with secure function, such as data encryption, user authentication, not copying data, and management system for secure USB, etc. But various attacks, such as extracting flash memory from USBs, password hacking or memory dump, and bypassing fingerprint authentication, have appeared. Therefore, security techniques related to secure USBs have to concern many threats for them. The basic components for a secure USB are secure authentication and data encryption techniques. Though existing secure USBs applied password based user authentication, it is necessary to develop more secure authentication because many threats have appeared. And encryption chipsets are used for data encryption however we also concern key managements. Therefore, this paper suggests mutual device authentication based on PUF (Physical Unclonable Function) between USBs and the authentication server and key management without storing the secret key. Moreover, secure USB is systematically managed with metadata and authentication information stored in authentication server.