An Experimental Assessment of Inconsistencies in Memory Forensics
Ottmann J, Breitinger F, Freiling F (2023)
Publication Type: Journal article, Original article
Publication year: 2023
Journal
Book Volume: 27
Article Number: 2
Journal Issue: 1
DOI: 10.1145/3628600
Abstract
Memory forensics is concerned with the acquisition and analysis of copies of volatile memory (memory dumps). Based on an empirical assessment of observable inconsistencies in 360 memory dumps of a running Linux system, we confirm a state of overwhelming inconsistency in memory forensics: almost a third of these dumps had an empty process list and was therefore obviously incomplete. Out of those dumps that were analyzable, almost every second dump showed some form of inconsistency that potentially impacts the interpretation of the dump in a forensic investigation. These results are based on a new way to estimate the level of causal consistency of a memory dump. The factors influencing these inconsistencies are less clear but in general correlate with the level of concurrency (system load and number of threads).
Authors with CRIS profile
Jenny Ottmann
Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)
Felix Freiling
Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)
Related research project(s)
Involved external institutions
Switzerland (CH)How to cite
APA:
Ottmann, J., Breitinger, F., & Freiling, F. (2023). An Experimental Assessment of Inconsistencies in Memory Forensics. ACM Transactions on Privacy and Security, 27(1). https://dx.doi.org/10.1145/3628600
MLA:
Ottmann, Jenny, Frank Breitinger, and Felix Freiling. "An Experimental Assessment of Inconsistencies in Memory Forensics." ACM Transactions on Privacy and Security 27.1 (2023).
BibTeX: Download