An Experimental Assessment of Inconsistencies in Memory Forensics.

Autor: Ottmann, Jenny, Breitinger, Frank, Freiling, Felix
Předmět:
Zdroj: ACM Transactions on Privacy & Security; Feb2024, Vol. 27 Issue 1, p1-29, 29p
Abstrakt: Memory forensics is concerned with the acquisition and analysis of copies of volatile memory (memory dumps). Based on an empirical assessment of observable inconsistencies in 360 memory dumps of a running Linux system, we confirm a state of overwhelming inconsistency in memory forensics: almost a third of these dumps had an empty process list and was therefore obviously incomplete. Out of those dumps that were analyzable, almost every second dump showed some form of inconsistency that potentially impacts the interpretation of the dump in a forensic investigation. These results are based on a new way to estimate the level of causal consistency of a memory dump. The factors influencing these inconsistencies are less clear but in general correlate with the level of concurrency (system load and number of threads). [ABSTRACT FROM AUTHOR]
Databáze: Complementary Index