MemTri: A Memory Forensics Triage Tool Using Bayesian Network and Volatility

Antonis Michalas, Rohan Murray

Tutkimustuotos: KonferenssiartikkeliScientificvertaisarvioitu

3 Sitaatiot (Scopus)

Abstrakti

This work explores the development of MemTri. A memory forensics triage tool that can assess the likelihood of criminal activity in a memory image, based on evidence data artefacts generated by several applications. Fictitious illegal suspect activity scenarios were performed on virtual machines to generate 60 test memory images for input into MemTri. Four categories of applications (i.e. Internet Browsers, Instant Messengers, FTP Client and Document Processors) are examined for data artefacts located through the use of regular expressions. These identified data artefacts are then analysed using a Bayesian Network, to assess the likelihood that a seized memory image contained evidence of illegal firearms trading activity. MemTri's normal mode of operation achieved a high artefact identification accuracy performance of 95.7% when the applications' processes were running. However, this fell significantly to 60% as applications processes' were terminated. To explore improving MemTri's accuracy performance, a second mode was developed, which achieved more stable results of around 80% accuracy, even after applications processes' were terminated.
AlkuperäiskieliEnglanti
OtsikkoProceedings of the 2017 International Workshop on Managing Insider Security Threats
JulkaisupaikkaNew York, NY, USA
KustantajaACM
Sivut57-66
Sivumäärä10
ISBN (painettu)978-1-4503-5177-5
DOI - pysyväislinkit
TilaJulkaistu - 2017
Julkaistu ulkoisestiKyllä
OKM-julkaisutyyppiA4 Artikkeli konferenssijulkaisussa

Julkaisusarja

NimiMIST '17
KustantajaACM

Sormenjälki

Sukella tutkimusaiheisiin 'MemTri: A Memory Forensics Triage Tool Using Bayesian Network and Volatility'. Ne muodostavat yhdessä ainutlaatuisen sormenjäljen.

Siteeraa tätä