Abstract
Cybercrimes reached its peak in 2017, a year marked by extraordinary attacks including multi-million dollar theft. New malware and ransomware with the exponential growth of 64% have laid their impact in the cyber world and left them with no choice except to pay the ransom. On an average, 2 lakh samples of new malware are captured per day in the last year and it is estimated that cybercrime will cost over $2 Trillion by the end of 2019, according to Juniper research. To combat and identify the attacks, digital forensics plays a crucial role in cyber investigations. In particular, memory forensics helps by unhiding the tons of hidden secret information. In memory forensics, crucial facts are stored, retrieved, and presented as a robust proof which can be accepted even in the courtroom. This paper conducts intensive survey on importance of memory forensics and its tools. Also, practical implementation is done on memory dumps collected from WannaCry ransomware affected computer. In-depth analysis is carried out by means of tracing injected dynamic link library (DLLs), process hollowing and reverse engineering. The findings and the open challenges are also presented.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Beebe, N.L., Clark, J.G.: A hierarchical, objectives-based framework for the digital investigation process. Digital Invest. 2(2), 147–167 (2005). https://doi.org/10.1016/j.diin.2005.04.002
Bem, D., Feld, F., Huebner, E., Bem, O.: Computer forensics—past, present and future. J. Inf. Sci. Technol. 5(3), 43–59 (2008)
Peterson, G.: Digital forensics XI. In: Peterson, G. (ed.) Advances in Digital Forensics XI. Springer US, Orlando (2015)
Harichandran, V.S., Breitinger, F., Baggili, I., Marrington, A.: A cyber forensics needs analysis survey: revisiting the domain’s needs a decade later. Comput. Secur. 57, 1–13 (2016). https://doi.org/10.1016/j.cose.2015.10.007
Amari, K.: Techniques and Tools for Recovering and Analyzing Data from Volatile Memory. Boston. Retrieved from https://www.sans.org/reading-room/whitepapers/forensics/techniques-tools-recovering-analyzing-data-volatile-memory-33049 (2009)
Grier, J., Richard, G.G.: Rapid forensic imaging of large disks with sifting collectors. Digital Invest. 14, S34–S44 (2015). https://doi.org/10.1016/j.diin.2015.05.006
Stüttgen, J., Cohen, M.: Anti-forensic resilient memory acquisition. Digital Invest. 10(SUPPL.), S105–S115 (2013). https://doi.org/10.1016/j.diin.2013.06.012
Dfrws 2005 forensics challenge. http://www.dfrws.org/2005/challenge/
Vömel, S., Freiling, F.C.: A survey of main memory acquisition and analysis techniques for the windows operating system. Digital Invest. 8(1), 3–22 (2011). https://doi.org/10.1016/J.DIIN.2011.06.002
Charters, I., Smith, M., McKee, G.: The Evolution of Digital Forensics: Civilizing the Cyber Frontier. Retrieved from www.guerilla-ciso.com/wp…/01/the-evolution-of-digital-forensics-ian-charters.pdf%0A (2009)
Garner, G.M.: KNTDD. Retrieved from http://users.erols.com/gmgarner/KnTTools/ (2016)
Rathnayaka, C., Jamdagni, A.: An efficient approach for advanced malware analysis using memory forensic technique. In: Proceedings of 16th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 11th IEEE International Conference on Big Data Science and Engineering and 14th IEEE International Conference on Embedded Software and Systems, pp. 1145–1150 (2017). https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.365
Rahman, S., Khan, M.N.A.: Review of live forensic analysis techniques. Int. J. Hybrid Inf. Technol. 8(2), 379–388 (2015). https://doi.org/10.14257/ijhit.2015.8.2.35
Xu, L., Cavazos, J., Zhang, D., Jayasena, N.: HADM: Hybrid analysis for detection of malware. In: Proceedings of SAI Intelligent Systems Conference (IntelliSys), pp. 702–724. Springer US. Retrieved from https://link.springer.com/chapter/10.1007/978-3-319-56991-8_51 (2017)
Ruff, N.: Windows memory forensics. J. Comput. Virol. 4(2), 83–100 (2008). https://doi.org/10.1007/s11416-007-0070-0
Damshenas, M., Dehghantanha, A., Mahmoud, R.: A survey on malware propagation, analysis and detection. Int. J. Cyber-Security Digital Forensics (IJCSDF) 2(4), 10–29 (2013)
The WannaCry Ransomware-Cert-Mu (2017)
Counter Threat Unit: WCry (WannaCry) Ransomware Analysis. USA. Retrieved from https://www.secureworks.com/research/wcry-ransomware-analysis (2017)
Danahy, J.: Ransomware 2017 (2017)
WCry (WannaCry) Ransomware Analysis. Retrieved from https://www.secureworks.com/research/wcry-ransomware-analysis
Vaughan-Nichols, S.J.: How WannaCrypt attacks. Retrieved from http://www.zdnet.com/article/how-wannacrypt-attacks/
WannaCry Ransomware Attack. Retrieved from https://en.wikipedia.org/wiki/WannaCry
VirusShare.com: Because Sharing is Caring. https://virusshare.com/download.4n6
Berry, A., Homan, J., Eitzman, R.: WannaCry Malware Profile. FireEye Inc. Retrieved December 5, 2017, from https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Paul Joseph, D., Norman, J. (2020). A Review and Analysis of Ransomware Using Memory Forensics and Its Tools. In: Satapathy, S., Bhateja, V., Mohanty, J., Udgata, S. (eds) Smart Intelligent Computing and Applications . Smart Innovation, Systems and Technologies, vol 159. Springer, Singapore. https://doi.org/10.1007/978-981-13-9282-5_48
Download citation
DOI: https://doi.org/10.1007/978-981-13-9282-5_48
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-9281-8
Online ISBN: 978-981-13-9282-5
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)