基于结构链逆向的内存碎片文件雕刻算法

doi:10.11959/j.issn.1000-436x.2021143

Abstract

Abstract:

To address the extraction of document evidence for doc, pdf, and other common file types in the memory image, the model of fragment file carving based on memory image was proposed.Then, on the basis of the model, the fragment file carving algorithm based on the reverse of file object structure chain was designed and implemented, the algorithm was able to get file data left behind in the memory image file.The experimental results show that the proposed algorithm can successfully carve out of memory file’s metadata, and the accuracy is 100%, and in a typical application case, the accuracy of the algorithm for memory file can achieve 87.5%, far higher than disk-based file caving algorithm.

Key words: file carving, memory forensics, memory fragment, fragment adjacent, structure reverse

CLC Number:

TP309

Binglong LI, Zhenyu ZHOU, Yu ZHANG, Heyu ZHANG, Chaowen CHANG. Memory fragment file carving algorithm based on the reverse of the structure chain[J]. Journal on Communications, 2021, 42(7): 117-127.

Figures/Tables 10

References 31

[1]	SERVIDA F , CASEY E . IoT forensic challenges and opportunities for digital traces[J]. Digital Investigation, 2019,28: 22-29.
[2]	SUDHAKAR ， KUMAR S . An emerging threat Fileless malware:a survey and research challenges[J]. Cybersecurity, 2020,3(1): 1-12.
[3]	The Internet Crime Complaint Center. 2019 Internet crime report[R]. 2019.
[4]	McAfee Labs. 2019 threats report[R]. 2019.
[5]	CAVIGLIONE L , WENDZE S , MAZURCZKY W . The future of digital forensics:challenges and the road ahead[J]. IEEE Security ＆Privacy, 2017,15(6): 12-17.
[6]	XIAO T , XU M , XU J . Acquisiting text documents opened by notepad from Windows7 RAM image[J]. Journal of Computational Information Systems, 2014,10(16): 7117-7124.
[7]	PATEL A , MISTRY N . An analyzing of different techniques and tools to recover data from volatile memory[J]. International Journal for Scientific Research ＆ Development, 2013,1(2): 227-233.
[8]	NUR A , MOHAMAD K , HASHEEM Y . Corrupted MP4 carving using MP4-Karver[J]. International Journal of Advanced Computer Science and Applications, 2016,7(3): 88-93.
[9]	CARRIER B D , GRAND J . A hardware-based memory acquisition procedure for digital investigations[J]. Digital Investigation, 2004,1(1): 50-60.
[10]	MULLAN P , RIESS C , FREILING F . Forensic source identification using JPEG image headers:the case of smartphones[J]. Digital Investigation, 2019,28: 68-76.
[11]	BAHJAT A A , JONES J . Deleted file fragment dating by analysis of allocated neighbors[J]. Digital Investigation, 2019,28: 60-67.
[12]	KORNBLUM J D . Using every part of the buffalo in Windows memory analysis[J]. Digital Investigation, 2007,4(1): 24-29.
[13]	DOLAN-GAVITT B . The VAD tree:a process-eye view of physical memory[J]. Digital Investigation, 2007,4: 62-64.
[14]	VAN-BAAR R B , ALINK W , VAN-BALLEGOOIJ A R , . Forensic memory analysis:files mapped in memory[J]. Digital Investigation, 2008,5: 52-57.
[15]	QUICK D , CHOO K K R . Impacts of increasing volume of digital forensic data:a survey and future research challenges[J]. Digital Investigation, 2014,11(4): 273-294.
[16]	GAO Y H , CAO T J . Memory forensics for QQ from a live system[J]. Journal of Computers, 2010,5(4): 541-548.
[17]	PETRONI N L , WALTERS A , FRASER T ,et al. FATKit:a framework for the extraction and analysis of digital forensic data from volatile system memory[J]. Digital Investigation, 2006,3(4): 197-210.
[18]	马庆杰, 李炳龙, 位丽娜 . 基于SQLite内容雕刻的恢复技术[J]. 计算机应用, 2017,37(2): 392-396.
	MA Q J , LI B L , WEI L N . File recovery based on SQlite content carving[J]. Journal of Computer Applications, 2017,37(2): 392-396.
[19]	高元照, 李炳龙, 陈性元 . 基于MapReduce的HDFS数据窃取随机检测算法[J]. 通信学报, 2018,39(10): 11-21.
	GAO Y Z , LI B L , CHEN X Y . Stochastic algorithm for HDFS data theft detection based on MapReduce[J]. Journal on Communications, 2018,39(10): 11-21.
[20]	V?MEL S , FREILING F C . Correctness,atomicity,and integrity:defining criteria for forensically-sound memory acquisition[J]. Digital Investigation, 2012,9(2): 125-137.
[21]	HEO H S , SO B M , YANG I H ,et al. Automated recovery of damaged audio files using deep neural networks[J]. Digital Investigation, 2019,30: 117-126.
[22]	高元照, 李炳龙, 吴熙曦 . 基于物理内存的注册表逆向重建取证分析算法[J]. 山东大学学报(理学版), 2016,51(9): 127-136.
	GAO Y Z , LI B L , WU X X . A forensic analysis algorithm of registry reverse reconstruction based on physical memory[J]. Journal of Shan-dong University (Natural Science), 2016,51(9): 127-136.
[23]	KHILOSIYA B , MAKADIYA K . Malware analysis and using memory forensic[J]. Multidisciplinary International Research Journal of Gujarat Technological University, 2020,2(2): 106-117.
[24]	SCHUSTER A . Searching for processes and threads in Microsoft Windows memory dumps[J]. Digital Investigation, 2006,3: 10-16.
[25]	SALAVE P , WAKDIKAR A . Memory forensics:tools comparison[J]. International Journal of Science and Research, 2017,6(6): 5-8.
[26]	COHEN M . Scanning memory with Yara[J]. Digital Investigation, 2017,20: 34-43.
[27]	OKOLICA J , PETERSON G L . Windows operating systems agnostic memory analysis[J]. Digital Investigation, 2010,7: 48-56.
[28]	GS StatCounter . Desktop Windows version market share worldwide[R]. 2020.
[29]	MARZIALE L , RICHARD G G III , ROUSSEV V III . Massive threading:using GPUs to increase the performance of digital forensics tools[J]. Digital Investigation, 2007,4: 73-81.
[30]	AL-SHARIF Z A , AL-KHALEE A Y , AL-SALEH M I ,et al. Carving and clustering files in ram for memory forensics[J]. Far East Journal of Electronics and Communications, 2018,18(5): 695-722.
[31]	The Honeynet Project. Challenge 3-banking troubles[R]. 2010.

Metrics

Recommended 0

No Suggested Reading articles found!

文件	doc/B	pdf/B	txt/B	jpg/B
f0	24 064	51 618	32	14 717
f1	26 112	66 067	698	60 019
f2	26 624	86 311	747	97 788
f3	27 136	138 276	778	122 854
f4	28 160	145 813	997	141 963
f5	39 424	159 331	3 917	226 174
f6	81 920	212 392	15 127	360 907
f7	118 784	272 669	24 154	421 069
f8	189 952	397 519	24 564	2 599 419
f9	233 984	2 173 636	318 997	6 523 649

文件类型	本文方法		Scalpel 1.60
文件类型	元数据	文件内容	元数据	文件内容
jpg	√	√	×	×
doc	√	√	×	×
pdf	√	√	×	×
txt	√	√	×	√×

文件类型	本文方法		Scalpel 1.60
文件类型	元数据/个	文件/个	元数据/个	文件/个
doc	10	8	0	0
pdf	10	8	0	0
txt	10	10	0	0
jpg	10	9	0	2
平均精确度	100%	87.5％	0	5％

文件类型	本文方法		Scalpel 1.60
文件类型	元数据/个	文件/个	元数据/个	文件/个
doc	10	2	0	0
pdf	10	1	0	0
txt	10	10	0	0
jpg	10	4	0	1
平均精确度	100%	42.5％	0	2.5％

实验	本文算法		文献[30]算法
实验	元数据/个	文件/个	元数据/个	文件/个
实验1	10	10	0	5
实验2	10	8	0	4
实验3	10	1	0	2
精确度	100%	63.3%	0	36.7%

Memory fragment file carving algorithm based on the reverse of the structure chain

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 10

References 31

Related Articles 15

Metrics

Recommended 0

[1]	Xiaoni DU, Xiangyu WANG, Lifang LIANG, Kaibin LI. Quantum cryptanalysis of lightweight block cipher Piccolo [J]. Journal on Communications, 2023, 44(6): 175-182.
[2]	Zhen ZHENG, Yingjian YAN, Juesong CAI, Yanjiang LIU. Non-specific TVLA method based on two-sample KS test [J]. Journal on Communications, 2023, 44(5): 137-147.
[3]	Tao FENG, Liqiu CHEN, Junli FANG, Jianming SHI. Blockchain data sharing scheme based on localized difference privacy and attribute-based searchable encryption [J]. Journal on Communications, 2023, 44(5): 224-233.
[4]	Dacheng ZHOU, Hongchang CHEN, Weizhen HE, Guozhen CHENG, Hongchao HU. Research on multidimensional dynamic defense strategy for microservice based on deep reinforcement learning [J]. Journal on Communications, 2023, 44(4): 50-63.
[5]	Ming TANG, Yifan HU. Load-to-store: exploit the time leakage of store buffer transient window [J]. Journal on Communications, 2023, 44(4): 64-77.
[6]	Wei LI, Chun LIU, Dawu GU, Wenqian SUN, Jianning GAO, Mengyang QIN. Statistical ineffective fault analysis of the lightweight authenticated cipher algorithm Saturnin-Short [J]. Journal on Communications, 2023, 44(4): 167-175.
[7]	Yuling LIU, Cuilin WANG, Zhangjie FU. Generative text steganography method based on emotional expression in semantic space [J]. Journal on Communications, 2023, 44(4): 176-186.
[8]	Baiji HU, Xiaojuan ZHANG, Yuancheng LI, Rongxin LAI. Multi-function supported privacy protection data aggregation scheme for V2G network [J]. Journal on Communications, 2023, 44(4): 187-200.
[9]	Wei FAN, Cheng PENG, Dali ZHU, Yuqing WANG. Research on intrusion response strategy based on static Bayesian game in mobile edge computing network [J]. Journal on Communications, 2023, 44(2): 70-81.
[10]	Dongyan HUANG, Kun LI. Research on multi-address time-based blockchain covert communication method [J]. Journal on Communications, 2023, 44(2): 148-159.
[11]	Shufen ZHANG, Yanling DONG, Jingcheng XU, Haoshi WANG. AdaBoost algorithm based on target perturbation [J]. Journal on Communications, 2023, 44(2): 198-209.
[12]	Shengbao WANG, Xin ZHOU, Kang WEN, Bosen WENG. Tripartite authenticated key exchange protocol for smart grid [J]. Journal on Communications, 2023, 44(2): 210-218.
[13]	Yiliang HAN, Kaiyang GUO, Riming WU, Kai LIU. Attribute-based encryption scheme against key abuse based on OBDD access structure from lattice [J]. Journal on Communications, 2023, 44(1): 75-88.
[14]	Chao XIA, Yaqi LIU, Qingxiao GUAN, Xin JIN, Yanshuo ZHANG, Shengwei XU. Steganalysis of JPEG images using non-linear residuals [J]. Journal on Communications, 2023, 44(1): 142-152.
[15]	Xiaodong FU, Xinxin QI, Li LIU, Wei PENG, Jiaman DING, Fei DAI. Detecting and preventing collusion attack in DPoS based on power index [J]. Journal on Communications, 2022, 43(12): 123-133.