Research On Linux Memory Forensics Technology Based On ELF File Recovery

In recent years,with the comprehensive development of informatization,the Internet has played an increasingly important role in people’s production and life.Due to its rich software ecosystem,Linux systems are widely used in cloud computing and IoT.With the proliferation of Internet black industries,Linux,as the mainstream operating system in cloud servers,has been greatly threatened.Forensics technology is designed to quickly discover traces and evidence of computer intrusions and help police crack down on crimes.Research on memory forensics technology for Linux system is of great significance for the construction of network security ecology.The Linux system memory forensics technology has the following two challenges:on the one hand,due to the wide variety and large number of malware,the traditional memory analysis methods based on expert experience are inefficient.How to study a technology to automatically identify malicious code in memory is another Difficulties;on the other hand,new fileless malicious attacks are rampant day by day,and it is difficult to effectively capture and analyze file-less malware.This paper conducts research on the above problems,and the specific work is as follows:The paper proposes a memory extraction technology based on ptrace and kernel modules.This technology extracts the process memory of the Linux system in real time through the ptrace system call in the user mode and the API of the Linux kernel.Among them,the method based on ptrace has a wide range of applications but is easily constrained by anti-forensics methods.The extraction method of kernel state needs to be adapted to different kernels,but is not affected by anti-forensics methods.The combination of the two methods can effectively extract the process memory of mainstream Linux distributions.The paper proposes an auxiliary vector-based ELF file recovery technology,which uses auxiliary vectors to help reconstruct ELF files from process memory data files,and proposes a static control flow graph-based ELF file similarity comparison technology.The combination of the two can be used in memory.Known malware was effectively identified in the data.Combining these two detection technologies,the thesis designs and implements a Linux memory forensics platform,and implements attack forensics and analysis through various means.The experimental results show that the memory data extraction method proposed in this paper can achieve complete memory extraction under mainstream operating systems.The auxiliary vector-based ELF file recovery module can recover ELF files in different compilation environments.The ELF file comparison module has high code coverage and can accurately and efficiently compare ELF files.The Linux memory forensics platform has identified multiple malicious processes in the actual forensics tasks,which proves that the platform has strong memory forensics capabilities.