References
- 504ensicsLabs (n.d.). Linux memory extractor. Retrieved December 30, 2021, from https://github.com/504ensicsLabs/LiME
- Bellevue (2005). The statically linked executable file for the Linux kernel: vmlinuz. Retrieved December 30, 2021, from http://www.linfo.org/vmlinuz.html
- Betz, C. (2005). Memparser. http://www.dfrws.org/2005/challenge/memparser.shtml
- Bovet, D. P., & Cesati, M. (2005). Understanding the Linux Kernel: from I/O ports to process management. O’Reilly Media, Inc.
- Burdach, M. (2005). Digital forensics of the physical memory. Warsaw University.
- Carrier, B. D., & Grand, J. (2004). A hardware-based memory acquisition procedure for digital investigations. Digital Investigation, 1(1), 50–60. https://doi.org/10.1016/j.diin.2003.12.001
- Carvey, H. (2005). Digital forensics of the physical memory. Retrieved December 30, 2021, from https://seclists.org/incidents/2005/Jun/22
- Case, A., & Richard, G. G. III. (2016). Detecting objective-c malware through memory forensics. Digital Investigation, 18, S3–S10. https://doi.org/10.1016/j.diin.2016.04.017
- Case, A., & Richard, G. G. III. (2017). Memory forensics: The path forward. Digital Investigation, 20, 23–33. https://doi.org/10.1016/j.diin.2016.12.004
- Case, A., Cristina, A., Marziale, L., Richard, G. G., & Roussev, V. (2008). Face: Automated digital evidence discovery and correlation. Digital Investigation, 5, S65–S75. https://doi.org/10.1016/j.diin.2008.05.008
- Case, A., Das, A. K., Park, S.-J., Ramanujam, J. R., & Richard, G. G. III. (2017). Gaslight: A comprehensive fuzzing architecture for memory forensics frameworks. Digital Investigation, 22, S86–S93. https://doi.org/10.1016/j.diin.2017.06.011
- Case, A., Marziale, L., & Richard, G. G. III. (2010). Dynamic recreation of kernel data structures for live forensics. Digital Investigation, 7, S32–S40. https://doi.org/10.1016/j.diin.2010.05.005
- Chan, E., Venkataraman, S., David, F., Chaugule, A., & Campbell, R. (2010). Forenscope: A framework for live forensics. In Proceedings of the 26th Annual Computer Security Applications Conference (pp. 307–316). https://doi.org/10.1145/1920261.1920307
- Cohen, M. (2015). The Pmem Memory acquisition suite. Retrieved May 30, 2022, from https://github.com/google/rekall/tree/master/tools/windows/winpmem
- CVE-Details (n.d.). Linux Kernel: Vulnerability statistics(Memory Corruption CVE Details). Retrieved December 20, 2021, from https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html
- Economou, N. A., & Nissim, E. E. (2016). Getting physical extreme abuse of intel based paging systems. https://www.coresecurity.com/sites/default/files/private-files/publications/2016/05/CSW2016%20-%20Getting%20Physical%20-%20Extended%20Version.pdf.
- espwiki (2013). Executable space protection: The NX bit. Retrieved December 30, 2021, from https://en.wikipedia.org/wiki/Executable_space_protection
- fmem (n.d.). Retrieved May 30, 2022, from https://github.com/NateBrune/fmem
- F-response Team (2019). A Utility to conduct Live Forensics. https://f-response.com/. (Last accessed: May 30, 2022)
- FTK Imager (n.d.). Retrieved May 30, 2022, from https://accessdata.com/product-download/ftk-imager-version-4-5
- Garcia, G. L. (2007). Forensic physical memory analysis: an overview of tools and techniques. In TKK T-110.5290 seminar on network security (Vol. 207, pp. 305–320). Helsinki: TKK
- Garner, G. M. Jr., & Mora, R.-J. (2005). kntlist Analysis tool.
- Gorman, M. (2004). Understanding the Linux virtual memory manager. Prentice Hall.
- Gruhn, M., & Freiling, F. C. (2016). Evaluating atomicity, and integrity of correct memory acquisition methods. Digital Investigation, 16, S1–S10. https://doi.org/10.1016/j.diin.2016.01.003
- Hay, B., Bishop, M., & Nance, K. (2009). Live analysis: Progress and challenges. IEEE Security & Privacy Magazine, 7(2), 30–37. https://doi.org/10.1109/MSP.2009.43
- Huebner, E., Bem, D., Henskens, F., & Wallis, M. (2007). Persistent systems techniques in forensic acquisition of memory. Digital Investigation, 4(3–4), 129–137. https://doi.org/10.1016/j.diin.2008.02.001
- Intel (2016). Intel 64 and IA-32 architectures software developer’s manual volume 3A: System programming guide, part 1. Retrieved December 30, 2021, from https://software.intel.com/en-us/articles/intel-sdm
- Ionescu, A. (2015). INSECTION: Awesomely exploiting shared memory objects. Retrieved December 20, 2021, from https://web.archive.org/web/20180417030210/http://www.alex-ionescu.com/infiltrate2015.pdf
- Jang, Y., Lee, S., & Kim, T. (2016). Breaking kernel address space layout randomization with intel tsx. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 380–392).
- Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J. H., Lee, D., Wilkerson, C., Lai, K., & Mutlu, O. (2014). Flipping bits in memory without accessing them: An experimental study of dram disturbance errors. ACM SIGARCH Computer Architecture News, 42(3), 361–372. https://doi.org/10.1145/2678373.2665726
- Le Berre, S. (2018). From corrupted memory dump to rootkit detection. Retrieved December 30, 2021, from https://exatrack.com/public/Memdump_NDH_2018.pdf
- Libster, E., & Kornblum, J. D. (2008). A proposal for an integrated memory acquisition mechanism. ACM SIGOPS Operating Systems Review, 42(3), 14–20. https://doi.org/10.1145/1368506.1368510
- Linux Manual (n.d.). mprotect(2)-Linux manual page. Retrieved December 30, 2021, from https://man7.org/linux/man-pages/man2/mprotect.2.html
- Martignoni, L., Fattori, A., Paleari, R., & Cavallaro, L. (2010). Live and trustworthy forensic analysis of commodity production systems. In International Workshop on Recent Advances in Intrusion Detection (pp. 297–316).
- Moser, A., & Cohen, M. I. (2013). Hunting in the enterprise: Forensic triage and incident response. Digital Investigation, 10(2), 89–98. https://doi.org/10.1016/j.diin.2013.03.003
- Movall, P., Nelson, W., & Wetzstein, S. (2005). Linux physical memory analysis. In USENIX Annual Technical Conference, FREENIX Track (pp. 23–32).
- Pagani, F., & Balzarotti, D. (2019). Back to the whiteboard: A principled approach for the assessment and design of memory forensic techniques. In 28th USENIX Security Symposium (USENIX Security 19) (pp. 1751–1768).
- Pagani, F., Fedorov, O., & Balzarotti, D. (2019). Introducing the temporal dimension to memory forensics. ACM Transactions on Privacy and Security, 22(2), 1–21. https://doi.org/10.1145/3310355
- Parida, T., & Das, S. (2020). PageDumper: A mechanism to collect page table manipulation information at run-time. International Journal of Information Security, 20(4), 603-619.
- PaX Team (2003). PaX address space layout randomization (ASLR). Retrieved December 30, 2021, from https://pax.grsecurity.net/docs/aslr.txt
- Petroni, N. L. Jr., Walters, A., Fraser, T., & Arbaugh, W. A. (2006). Fatkit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3(4), 197–210. https://doi.org/10.1016/j.diin.2006.10.001
- Reina, A., Fattori, A., Pagani, F., Cavallaro, L., & Bruschi, D. (2012). When hardware meets software: A bulletproof solution to forensic memory acquisition. In Proceedings of the 28th Annual Computer Security Applications Conference (pp. 79–88). https://doi.org/10.1145/2420950.2420962
- Rusling, D. A. (1999). Linux data structures. Retrieved December 30, 2021, from https://tldp.org/LDP/tlk/ds/ds.html
- Schatz, B. (2007). Bodysnatcher: Towards reliable volatile memory acquisition by software. Digital Investigation, 4, 126–134. https://doi.org/10.1016/j.diin.2007.06.009
- Schuster, A. (2006). Searching for processes and threads in Microsoft windows memory dumps. Digital Investigation, 3, 10–16. https://doi.org/10.1016/j.diin.2006.06.010
- Schwarz, M. (2019). PTEditor: A small library to modify all page-table levels of all processes from user space for x86_64 (Linux and Windows 10) and ARMv8(Linux). Retrieved December 30, 2021, from https://github.com/misc0110/PTEditor
- sp (n.d.). Spin locks. Retrieved December 30, 2021, from https://www.kernel.org/doc/html/latest/locking/spinlocks.html
- Vömel, S., & Freiling, F. C. (2012). Correctness, atomicity, and integrity: Defining criteria for forensically-sound memory acquisition. Digital Investigation, 9(2), 125–137. https://doi.org/10.1016/j.diin.2012.04.005
- Vömel, S., & Stüttgen, J. (2013). An evaluation platform for forensic memory acquisition software. Digital Investigation, 10, S30–S40. https://doi.org/10.1016/j.diin.2013.06.004
- Walters, A. (2007). The volatility framework (version 2.6): Volatile memory artifact extraction utility framework. Retrieved May 30, 2022, from https://www.volatilityfoundation.org/26
- Walters, A., & Petroni, N. L. (2007). Volatools: Integrating volatile memory into the digital investigation process. Black Hat DC, 2007, 1–18.
- Zhang, S., Meng, X., & Wang, L. (2016). An adaptive approach for Linux memory analysis based on kernel code reconstruction. EURASIP Journal on Information Security, 2016(1), 14. https://doi.org/10.1186/s13635-016-0038-z