We found a match
Your institution may have access to this item. Find your institution then sign in to continue.
- Title
An adaptive approach for Linux memory analysis based on kernel code reconstruction.
- Authors
Zhang, Shuhui; Meng, Xiangxu; Wang, Lianhai
- Abstract
Memory forensics plays an important role in security and forensic investigations. Hence, numerous studies have investigated Windows memory forensics, and considerable progress has been made. In contrast, research on Linux memory forensics is relatively sparse, and the current knowledge does not meet the requirements of forensic investigators. Existing solutions are not especially sophisticated, and their complicated operation and limited treatment range are unsatisfactory. This paper describes an adaptive approach for Linux memory analysis that can automatically identify the kernel version and recovery symbol information from an image. In particular, given a memory image or a memory snapshot without any additional information, the proposed technique can automatically reconstruct the kernel code, identify the kernel version, recover symbol table files, and extract live system information. Experimental results indicate that our method runs satisfactorily across a wide range of operating system versions.
- Subjects
LINUX operating systems; KERNEL (Mathematics); COMPUTER operating systems; MATHEMATICAL functions; FORENSIC document examination
- Publication
EURASIP Journal on Information Security, 2016, Vol 2016, Issue 1, p1
- ISSN
1687-4161
- Publication type
Article
- DOI
10.1186/s13635-016-0038-z