A Benchmark of Anti-Memory Forensics Tools
Primary Investigator:
Marcus Thompson
Zachary Thoreson, Marcus Thompson
Abstract
Memory forensics is a critical component in crime scene analysis, reverse engineering, and detection of malware. During the static and dynamic phases of memory forensics, an analysts tools are a critical component in the detection and investigation of artifacts that may be of interest to the analyst.
While these tools allow the processing and analysis of memory dumps taken from computers, they are not perfect. Anti-memory forensics tools seek to obfuscate the analyst’s results by creating false positives and large amount of entries that make the analysts job more difficult.
This study took proof of concept anti-forensic tools, and tested effectiveness in creating false artifacts to be later investigated using Volatility. The goal of the experimentation was to establish a benchmark as to how difficult it would be to detect fake entries using memory forensic tools.
The experiment consisted of a clean Windows 7 Virtual Machine, a Windows 7 Virtual Machine with a known malware sample, and a Windows 7 Virtual Machine with the malware sample and the anti-forensic tool.