| Persistent data-oriented methods in computer forensics are confronted with a few challenges due to rapid technological developments such as memory-resident only malware, ever growing capabilities of hard drives and complicated encryption software. Researches of volatile memory are getting more and more attention and memory forensics has made great progress in recent years.Current methods mainly focus on evidence collection and data recovery. A little work is about how to automatically identify malwares from many unknown processes and analyze their behaviors in high semantic level so as to collect related evidences. In fact, in real cases, investigators are often faced with large number of processes that they have no knowledge of. Even for skillful experts, understanding all these processes and identifying the illegal ones are also time consuming tasks. Although current malware detection tools could provide some help, they usually can’t illustrate the purposes, abilities and behavior details of malwares and are thus often not fit for the forensic requirements.In this thesis, we present a lightweight framework to cope with these issues. Given a set of unknown processes, the framework can classify benign and malware processes automatically. This is implemented by HNB classifying algorithm and a Dynamic-Link Libraries-based model. Malware behaviors could then be explained in high semantic level through clustering and frequent item sets mining techniques. Besides, it sheds light on evidence collection by the information obtained from previous steps. Detective is applicable for both online and offline forensic scenarios. Experiments on real-world malware set have proved that the accuracy of Detective is more than 90% and the time cost is only several seconds. |
PDF Full Text Request