MemInspect2: OS-Independent Memory Forensics for IoT Devices in Cybercrime Investigations

MemInspect2: OS-Independent Memory Forensics for IoT Devices in Cybercrime Investigations

연구 분야: Safety

학회: 2022 IEEE/ACIS 22nd International Conference on Computer and Information Science (ICIS)

In the age of rapid development of the Internet of Things (IoT) world, more and more cybersecurity incidents have emerged in many IoT devices and systems. Therefore, the need for cybercrime investigation, especially for IoT devices, has become more imperative than ever. Memory forensics, the approach that inspects the memory dump to understand the current state or behavior of the attacked machine, contributes an important position in digital forensics and incident response for IoT systems. However, memory forensics encounter various challenges, including virtual address space (VAS) reconstruction or extracting kernel data structure in a given memory image. Most current tools and approaches leverage the knowledge of the operating system or propose heuristics to evade the commission of rebuilding VAS. In this research, we present our novel methodology to reconstruct the VAS for the memory images by using the paging mechanism of the Central Processing Unit (CPU), primarily for the ARM architectures (32 and 64 bit), one of the most popular microprocessors in the IoT world. In addition, with the support of VAS, we extract the typical kernel data structure like the process linked list. Finally, we build a MemInspect2 toolset that gathers all algorithms, and we also test the tool in many standard OS kernels like Linux and BSD.