Data correlation-based analysis methods for automatic memory forensic

Memory forensics is an important technique for protecting network security and fighting against computer crimes. It has developed greatly in the past decade, because memory can provide more reliable information that other evidence sources do not contain. However, nowadays, when investigating network criminal cases, the Gigabyte (GB) and even Terabyte (TB) level memory and many such dumps have made memory analysis a difficult task. And investigators usually have to deal with complex operating system (OS) data structures, which they have little knowledge of. So how to analyze memory evidence automatically so as to find the hidden criminal behavior and reconstruct the scenario in an understandable way has become an important problem. This paper presents an automatic memory analysis methodology based on data correlation. Through analyzing key OS data structures and utilizing a clustering algorithm, this methodology can discover the relationships among processes, files, users, Dynamic-link library (DLLs), and network connections. By describing these relationships as correlation graphs, our methods can reorganize these independent memory evidences and disclose their meanings in a high semantic level. Experiments have proved that these correlation graphs can help investigators find hidden criminal behavior and reconstruct the criminal scenarios. And as we know, now, little work is in this field. Copyright (C) 2015 John Wiley & Sons, Ltd.