SaTC: CORE: Medium: Robust Memory Forensics Techniques for Userland Malware Analysis

SaTC：核心：中：用于用户态恶意软件分析的强大内存取证技术

• 批准号: 1703683
• 负责人: Golden Richard
• 金额: $ 111.34万
• 依托单位: Louisiana State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-09-01 至 2020-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1703683&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; Robust; Memory

State-of-the-art malicious software (malware) is increasingly a threat to military, corporate, and civilian computer systems and critical infrastructure. Over the past decade, memory forensics has begun to offer powerful techniques for detecting and analyzing malicious software and is often effective in cases where other methods fail. Memory forensics tools must be robust and trustworthy, because failing to detect a malware infection can have disastrous consequences. This project is addressing a number of important research issues in memory forensics, including expanding the scope and improving the reliability of memory forensics tools and providing investigators with better mechanisms to evaluate the correctness of digital investigations.This project is addressing three important research issues in memory forensics: (1) Creating a large, diverse collection of freely available, realistic data sets for memory forensics research and practice; (2) Developing a testing platform that automatically discovers errors in both open and closed source memory forensics frameworks; and (3) Developing techniques to detect and analyze user-space (rather than kernel-space) malware activity.

最先进的恶意软件（恶意软件）日益对军事、企业和民用计算机系统和关键基础设施构成威胁。 在过去的十年中，内存取证已经开始提供用于检测和分析恶意软件的强大技术，并且在其他方​​法失败的情况下通常很有效。 内存取证工具必须强大且值得信赖，因为未能检测到恶意软件感染可能会带来灾难性的后果。 该项目正在解决内存取证中的许多重要研究问题，包括扩大内存取证工具的范围和提高可靠性，以及为研究人员提供更好的机制来评估数字调查的正确性。该项目正在解决内存中的三个重要研究问题取证：(1) 为内存取证研究和实践创建大量、多样化的、免费的、真实的数据集； （2）开发一个自动发现开源和闭源内存取证框架中错误的测试平台； (3) 开发检测和分析用户空间（而不是内核空间）恶意软件活动的技术。

项目成果

Memory Analysis of macOS Page Queues

macOS页面队列的内存分析

• DOI: 10.1016/j.fsidi.2020.301004
• 发表时间: 2020-07-01
• 期刊: Digit. Investig.
• 作者: Andrew Case;Ryan D. Maggio;Modhuparna Manna;G. Richard
• 通讯作者: G. Richard

MemForC: Memory Forensics Corpus Creation for Malware Analysis

MemForC：用于恶意软件分析的内存取证语料库创建

• 发表时间: 2021-01
• 期刊: Proceedings of the 16th International Conference on Cyber Warfare and Security
• 作者: Orgah, A.;Case, A.;Richard, G.
• 通讯作者: Richard, G.

Hooktracer: Automatic Detection and Analysis of Keystroke Loggers Using Memory Forensics

Hooktracer：使用内存取证自动检测和分析击键记录器

• DOI: 10.1016/j.cose.2020.101872
• 发表时间: 2020-09-01
• 期刊: Comput. Secur.
• 作者: Andrew Case;Ryan D. Maggio;Md Firoz;M. M. Jalalzai;Aisha I. Ali;Mingxuan Sun;G. Richard
• 通讯作者: G. Richard

Memory forensics and the Windows Subsystem for Linux

内存取证和适用于 Linux 的 Windows 子系统

• DOI: 10.1016/j.diin.2018.04.018
• 发表时间: 2018-07-01
• 期刊: Digit. Investig.
• 作者: Nathan Lewis;Andrew Case;Aisha I. Ali;G. Richard
• 通讯作者: G. Richard

AmpleDroid Recovering Large Object Files from Android Application Memory

AmpleDroid 从 Android 应用程序内存中恢复大对象文件

• 发表时间: 2020-01
• 期刊: WIFS 2020
• 作者: Sudhakaran, S.;Aisha Ali;Orgah, A.;Case, A.;Richard, G.
• 通讯作者: Richard, G.