Abstract
Memory forensics is now a standard component of digital forensic investigations and incident response handling, since memory forensic techniques are quite effective in uncovering artifacts that might be missed by traditional storage forensics or live analysis techniques. Because of the crucial role that memory forensics plays in investigations and because of the increasing use of automation of memory forensics techniques, it is imperative that these tools be resilient to memory smear and deliberate tampering. Without robust algorithms, malware may go undetected, frameworks may crash when attempting to process memory samples, and automation of memory forensics techniques is difficult. In this paper we present Gaslight, a powerful and flexible fuzz-testing architecture for stress-testing both open and closed-source memory forensics frameworks. Gaslight automatically targets critical code paths that process memory samples and mutates samples in an efficient way to reveal implementation errors. In experiments we conducted against several popular memory forensics frameworks, Gaslight revealed a number of critical previously undiscovered bugs.
Recommended Citation
A. Case et al., "Gaslight: A Comprehensive Fuzzing Architecture For Memory Forensics Frameworks," Digital Investigation, vol. 22, pp. S86 - S93, Elsevier, Aug 2017.
The definitive version is available at https://doi.org/10.1016/j.diin.2017.06.011
Department(s)
Computer Science
Publication Status
Open Access
Keywords and Phrases
Computer forensics; Fuzzing; Incident response; Malware; Memory analysis; Memory forensics
International Standard Serial Number (ISSN)
1742-2876
Document Type
Article - Journal
Document Version
Citation
File Type
text
Language(s)
English
Rights
© 2024 Elsevier, All rights reserved.
Publication Date
01 Aug 2017
