Increasingly complex malware continues to evade detection, stealing information, taking systems offline, and disrupting functionality of many computer systems. Traditional techniques have not adequately protected systems from attackers, and the most commonly used detection techniques overlook the contents of memory.Modern systems contain a wealth of information in the contents of memory, but making use of that information is anything but trivial.There are a number of challenges related to both the acquisition and analysis of a system's memory.Many forensic situations could involve machines in hostile environments, and many acquisition techniques result in artifacts, which reduce the fidelity of the image and hinder the analysis phase.Although the kernel memory space has come a long way in being mapped, the state of application memory has largely been unexplored. We have created a toolset that extracts the application's context from the structure of pointers in a sample of that application's memory.This context allows us to perform statistical analysis, visualize the structure of memory, and provides a new way to train classifiers.
PDF
download
878987797
028-85220240
