| Title | A tool to compute approximation matching between windows processes |
| Publication Type | Conference Paper |
| Year of Publication | 2018 |
| Authors | Rodríguez, R. J., Martín-Pérez, M., Abadía, I. |
| Conference Name | 2018 6th International Symposium on Digital Forensic and Security (ISDFS) |
| Keywords | Approximation algorithms, approximation matching algorithms, Binary codes, bytewise approximate matching, composability, cryptographic hash values, cryptographic hashing functions, cryptography, digital forensics scenarios, dumping process, executable file, file organisation, forensic analysis, forensic memory analysis, Forensics, forensics memory image, Image forensics, image matching, Malware, memory image file, Metrics, Microsoft Windows, Microsoft Windows (operating systems), pubcrawl, Resiliency, Tools, volatility, Windows, Windows memory dump, Windows Operating System Security, windows processes |
| Abstract | Finding identical digital objects (or artifacts) during a forensic analysis is commonly achieved by means of cryptographic hashing functions, such as MD5, SHA1, or SHA-256, to name a few. However, these functions suffer from the avalanche effect property, which guarantees that if an input is changed slightly the output changes significantly. Hence, these functions are unsuitable for typical digital forensics scenarios where a forensics memory image from a likely compromised machine shall be analyzed. This memory image file contains a snapshot of processes (instances of executable files) which were up on execution when the dumping process was done. However, processes are relocated at memory and contain dynamic data that depend on the current execution and environmental conditions. Therefore, the comparison of cryptographic hash values of different processes from the same executable file will be negative. Bytewise approximation matching algorithms may help in these scenarios, since they provide a similarity measurement in the range [0,1] between similar inputs instead of a yes/no answer (in the range 0,1). In this paper, we introduce ProcessFuzzyHash, a Volatility plugin that enables us to compute approximation hash values of processes contained in a Windows memory dump. |
| DOI | 10.1109/ISDFS.2018.8355372 |
| Citation Key | rodriguez_tool_2018 |
A tool to compute approximation matching between windows processes