Rodríguez, Ricardo J; Martín-Pérez, Miguel; Abadía, Iñaki
A Tool to Compute Approximation Matching between Windows Processes Proceedings Article
In: Proceedings of the 2018 6th International Symposium on Digital Forensic and Security (ISDFS), pp. 313–318, 2018.
Abstract | Links | BibTeX | Tags: bytewise approximate matching, forensic memory analysis, Volatility, Windows
@inproceedings{RMA-ISDFS-18,
title = {A Tool to Compute Approximation Matching between Windows Processes},
author = {Ricardo J Rodríguez and Miguel Martín-Pérez and Iñaki Abadía},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RMA-ISDFS-18.pdf},
doi = {10.1109/ISDFS.2018.8355372},
year = {2018},
date = {2018-01-01},
booktitle = {Proceedings of the 2018 6th International Symposium on Digital Forensic and Security (ISDFS)},
pages = {313--318},
abstract = {Finding identical digital objects (or artifacts) during a forensic analysis is commonly achieved by means of cryptographic hashing functions, such as MD5, SHA1, or SHA-256, to name a few. However, these functions suffer from the em avalanche effect property, which guarantees that if an input is changed slightly the output changes significantly. Hence, these functions are unsuitable for typical digital forensics scenarios where a forensics memory image from a likely compromised machine shall be analyzed. This memory image file contains a snapshot of processes (instances of executable files) which were up on execution when the dumping process was done. However, processes are relocated at memory and contain dynamic data that depend on the current execution and environmental conditions. Therefore, the comparison of cryptographic hash values of different processes from the same executable file will be negative. Bytewise approximation matching algorithms may help in these scenarios, since they provide a similarity measurement in the range $[0,1]$ between similar inputs instead of a yes/no answer (in the range $0,1$). In this paper, we introduce ProcessFuzzyHash, a Volatility plugin that enables us to compute approximation hash values of processes contained in a Windows memory dump.},
keywords = {bytewise approximate matching, forensic memory analysis, Volatility, Windows},
pubstate = {published},
tppubtype = {inproceedings}
}
Finding identical digital objects (or artifacts) during a forensic analysis is commonly achieved by means of cryptographic hashing functions, such as MD5, SHA1, or SHA-256, to name a few. However, these functions suffer from the em avalanche effect property, which guarantees that if an input is changed slightly the output changes significantly. Hence, these functions are unsuitable for typical digital forensics scenarios where a forensics memory image from a likely compromised machine shall be analyzed. This memory image file contains a snapshot of processes (instances of executable files) which were up on execution when the dumping process was done. However, processes are relocated at memory and contain dynamic data that depend on the current execution and environmental conditions. Therefore, the comparison of cryptographic hash values of different processes from the same executable file will be negative. Bytewise approximation matching algorithms may help in these scenarios, since they provide a similarity measurement in the range $[0,1]$ between similar inputs instead of a yes/no answer (in the range $0,1$). In this paper, we introduce ProcessFuzzyHash, a Volatility plugin that enables us to compute approximation hash values of processes contained in a Windows memory dump.