Biblio

The era of information technology has, unfortunately, contributed to the tremendous rise in the number of criminal activities. However, digital artifacts can be utilized in convicting cybercriminal and exposing their activities. The digital forensics science concerns about all aspects related to cybercrimes. It seeks digital evidence by following standard methodologies to be admitted in court rooms. This paper concerns about memory forensics for the unique artifacts it holds. Memory contains information about the current state of systems and applications. Moreover, an application's data explains how a criminal has been interacting the application just before the memory is acquired. Memory forensics at the application level is currently random and cumbersome. Targeting specific applications is what forensic researchers and practitioner are currently striving to provide. This paper suggests a general solution to investigate any application. Our solution aims to utilize an application's data structures and variables' information in the investigation process. This is because an application's data has to be stored and retrieved in the means of variables. Data structures and variables' information can be generated by compilers for debugging purposes. We show that an application's information is a valuable resource to the investigator.

Perpetrators utilize different network reconnaissance techniques in order to discover vulnerabilities and conduct their attacks. Port scanning can be leveraged to conclude open ports, available services, and even running operating systems along with their versions. Even though these techniques are effective, their aggressiveness for information gain could leave an apparent sign of attack, which can be observed by the variety of security controls deployed at the network perimeter of an organization. However, not all such attacks can be stopped nor the corresponding security controls can defend against insiders. In this paper, we tackle the problem of reconnaissance detection using a different approach. We utilize the rich information that is kept in memory (or RAM). We observe that packets sent or received stay in memory for a while. Our results show that inspecting memory for attack signs is beneficial. Furthermore, correlating contents that are obtained from different memories empowers the investigation process and helps reach to conclusions.

Security is of concern of any computing system. Intruders break into machines to steal private data, important credentials, or credit cards. Causing damage, denying services, spaming, and defrauding are among intruders' goals. Security engineers strive to secure systems against many kinds of attacks. Different security controls are deployed at variety of perimeters to fight attacks. Firewalls, intrusion detection systems, intrusion prevention systems, encryption techniques, spam filters, and anti-adware are among such security controls. As a last line of defense, the Antivirus (AV) is of an important concern to the end-users community. Mainly, the AV achieves security by scanning data against its database of virus signatures. In addition, the AV tries to reach a pleasant balance between security and performance because end-users are not willing to deploy a performance-killing AV. When to scan data is an important design factor an Antivirus has to make. In this study, we test two AV aspects. First, we want to know how aggressive the AV is against kernel-level activities compared with user-level activities. In order to do that, we implemented a kernel-level device driver that reads malware with the present of the AV. Second, because AVs are equipped with on-access scanners that are triggered based on file access, we want to know how the AV is achieving that and how that could affect the overall performance.