Memory Layout Extraction and Verification Method for Reliable Physical Memory Acquisition

Physical memory acquisition is a prerequisite when performing memory forensics, referring to a set of techniques for acquiring and analyzing traces associated with user activity information, malware analysis, cyber incident response, and similar areas when the traces remain in the physical RAM. However, certain types of malware have applied anti-memory forensics techniques to evade memory analysis strategies or to make the acquisition process impossible. To disturb the acquisition process of physical memory, an attacker hooks the kernel API, which returns a map of the physical memory spaces, and modifies the return value of the API, specifically that typically used by memory acquisition tools. Moreover, an attacker modifies the kernel object referenced by the kernel API. This causes the system to crash during the memory acquisition process or causes the memory acquisition tools to incorrectly proceed with the acquisition. Even with a modification of one byte, called a one-byte modification attack, some tools fail to acquire memory. Therefore, specialized countermeasure techniques are needed for these anti-memory forensics techniques. In this paper, we propose a memory layout acquisition method which is robust to kernel API hooking and the one-byte modification attack on NumberOfRuns, the kernel object used to construct the memory layout in Windows. The proposed acquisition method directly accesses the memory, extracts the byte array, and parses it in the form of a memory layout. When we access the memory, we extract the _PHYSICAL_MEMORY_DESCRIPTOR structure, which is the basis of the memory layout without using the existing memory layout acquisition API. Furthermore, we propose a verification method that selects a reliable memory layout. We realize the verification method by comparing NumberOfRuns and the memory layout acquired via the kernel API, the registry, and the proposed method. The proposed verification method guarantees the reliability of the memory layout and helps secure memory image acquisition through a comparative verification with existing memory layout acquisition methods. We also conduct experiments to prove that the proposed method is resistant to anti-memory forensics techniques, confirming that there are no significant differences in time compared to the existing tools.

Secure Group Message Transfer Stegosystem

Grid environment is a virtual organization with varied resources from different administrative domains; it raises the requirement of a secure and reliable protocol for secure communication among various users and servers. The protocol should guarantee that an attacker or an unidentified resource will not breach or forward the information. For secure communication among members of a grid group, an authenticated message transferring system should be implemented. The key objective of this system is to provide a secure transferring path between a sender and its authenticated group members. In recent times, many researchers have proposed various steganographic techniques for secure message communications. This paper proposes a new secure message broadcasting system to hide the messages in such a way that an attacker cannot sense the existence of messages. In the proposed system, the authors use steganography and image encryption to hide group keys and secret messages using group keys in images for secure message broadcasting. The proposed system can withstand against conspiracy attack, message modification attack and various other security attacks. Thus, the proposed system is secure and reliable for message broadcasting.

Secure Group Message Transfer Stegosystem

Grid environment is a virtual organization with varied resources from different administrative domains; it raises the requirement of a secure and reliable protocol for secure communication among various users and servers. The protocol should guarantee that an attacker or an unidentified resource will not breach or forward the information. For secure communication among members of a grid group, an authenticated message transferring system should be implemented. The key objective of this system is to provide a secure transferring path between a sender and its authenticated group members. In recent times, many researchers have proposed various steganographic techniques for secure message communications. This paper proposes a new secure message broadcasting system to hide the messages in such a way that an attacker cannot sense the existence of messages. In the proposed system, the authors use steganography and image encryption to hide group keys and secret messages using group keys in images for secure message broadcasting. The proposed system can withstand against conspiracy attack, message modification attack and various other security attacks. Thus, the proposed system is secure and reliable for message broadcasting.