Technique to Interrogate an Image of RAM

Technique to Interrogate an Image of RAM

Using Mr. Aaron Walters' Python script, nistpe.py, which generates hash values for sections within Microsoft Windows portable executables (PE), I will present a technique allowing industry, academia, law-enforcement, and other government bodies to create custom reference sets that detect sectio...

Full description

Saved in:
Bibliographic Details
Published in:2009 Fifth International Conference on IT Security Incident Management and IT Forensics pp. 111 - 119
Main Author: Wozar, M.
Format: Conference Proceeding
Language:English
Published: IEEE 01-09-2009
Subjects:
Conference management
Forensics
Government
Image segmentation
Logic
Operating systems
Random access memory
Read-write memory
Security
Software standards
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Using Mr. Aaron Walters' Python script, nistpe.py, which generates hash values for sections within Microsoft Windows portable executables (PE), I will present a technique allowing industry, academia, law-enforcement, and other government bodies to create custom reference sets that detect sections within a raw bit image of random access memory. The technique identifies PE sections within a raw bit image of random access memory by comparing SHA-1 hash values from page aligned segments to SHA-1 reference file entries. This technique expands on the ldquoimmutable sections of known executablesrdquo reported earlier. Being able to identify PEs by hash values may facilitate volatile memory analysis and warn of malicious logic.
ISBN:076953807X
9780769538075
DOI:10.1109/IMF.2009.10