ForMaLity: Automated FORensic MAlware Analysis using VolatiLITY
Main Article Content
Abstract
Forensic analysis of volatile memory plays a crucial role in cyber crime investigation. It has been observed that when available, RAM
dump helps forensic investigators in retrieving many useful information related to a crime. There are variety of tools available for RAM analysis including Volatility, which currently dominates open source RAM forensic tools. It has been experienced that many times forensic investigators do not think possibilities of having a malware in the RAM dump. And, if it is there, still they are not very expert Malware Analysts, so it becomes difficult for them to analyze possible malware in a RAM dump. Availability of tools like Volatility lets forensic investigators identify and correlate various components to conclude whether the crime was carried out using any malware or not. However, use of volatility requires knowledge of command line tool and dynamic as well as static malware analysis. This work is done to assist forensic investigators in detecting and analyzing possible malware from a RAM dump. The work is based on volatility framework and outcome is a single step automated tool which analyzes RAM dump and possible malware residing in that. Final report generated using this tool gives accurate details about possibilities of use of malware in committing a crime.
dump helps forensic investigators in retrieving many useful information related to a crime. There are variety of tools available for RAM analysis including Volatility, which currently dominates open source RAM forensic tools. It has been experienced that many times forensic investigators do not think possibilities of having a malware in the RAM dump. And, if it is there, still they are not very expert Malware Analysts, so it becomes difficult for them to analyze possible malware in a RAM dump. Availability of tools like Volatility lets forensic investigators identify and correlate various components to conclude whether the crime was carried out using any malware or not. However, use of volatility requires knowledge of command line tool and dynamic as well as static malware analysis. This work is done to assist forensic investigators in detecting and analyzing possible malware from a RAM dump. The work is based on volatility framework and outcome is a single step automated tool which analyzes RAM dump and possible malware residing in that. Final report generated using this tool gives accurate details about possibilities of use of malware in committing a crime.
Downloads
Download data is not yet available.
Article Details
Section
Articles
COPYRIGHT
Submission of a manuscript implies: that the work described has not been published before, that it is not under consideration for publication elsewhere; that if and when the manuscript is accepted for publication, the authors agree to automatic transfer of the copyright to the publisher.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work
- The journal allows the author(s) to retain publishing rights without restrictions.
- The journal allows the author(s) to hold the copyright without restrictions.