Memory Forensics for Analyzing Malicious Activities

Abstract

With the change of era, the growing dependency on the computer and Internet is needless to say in a word. Memory is a very important part of a computer that holds the necessary data that the processor uses. As the CPU's running process data is stored in the memory, capturing and preserving the memory information are very important to detect malicious activities. If the memory is volatile like in RAM, data can be easily lost by overwriting or power failure. So, creating the memory dump from the volatile and secondary memory is invaluable for memory forensics and identifying different malicious activities for forensic investigation. Memory dump information can be used forensically to detect malicious activities within the suspected device. Nowadays, Internet usage is increasing tremendously, so people face many attacks like malware originated from the Internet. The attacker uses the victim's machine to execute their plan anonymously. During the investigation, there will be voluminous amount of information to investigate. As malicious processes are smart enough to hide, finding the malicious processes are not that trivial. Investigators must relate the incident data from the memory dump information to identify the malicious activities. There are many challenges in creating the memory dump from the heterogeneous types of devices and investigating the collected memory dump if investigators do not use the right methods and tools, which will enable to create the memory dump mellifluously and to identify different malicious activities in a short time. Using the right tools and frameworks at the right time, the effectiveness of the investigation can be much better and faster. In traditional processes, there is no structural way to find malicious activity. So, in this project, we have proposed a method for investigating malicious activities in a more structured and efficient way from the captured memory dump and identifying malicious activities from a suspected machine.