Toward RAM forensics supported by machine-learning methods

• Autorzy: Jurczyk Kamil , Topa Paweł , Faber Łukasz

Identyfikatory

DOI

10.7494/csci.2025.26.4.6822

• Języki publikacji: EN

Abstrakty

EN

In this article, we propose an enhancement to the computer forensics techniqueof using Machine-Learning tools to analyze the contents of RAM in order to extract information that is potentially useful during an investigation. In the specific case presented, the use of the extracted information to generate more-optimal dictionaries for dictionary cryptanalysis is considered. Increasing user awareness is making cryptanalysis of passwords increasingly difficult for law enforcement. Long and complex passwords are impossible to crack – even when high-performance computing platforms are available. A sensible method of optimization is to look for hints to use a dictionary that contains text phrases more likely to be used in the specific case under attack. Such a hint could bean analysis of RAM taken from a suspect computer. Machine-learning methods can significantly facilitate this task. In this article, we also explore the effectiveness of such an approach and its usefulness in practical applications. We also consider applications of the proposed approach for other purposes, suchas OSINT.

Słowa kluczowe

EN

forensic; dictionary attacks; machine learning

• Wydawca: Wydawnictwa AGH
• Czasopismo: Computer Science
• Rocznik: 2025
• Tom: T. 26 (4)
• Strony: 77--103
• Opis fizyczny: Bibliogr. 20 poz., rys., tab., wykr.

Twórcy

autor

Jurczyk Kamil

• AGH University of Krakow, al. Mickiewicza 30, 30-059, Krakow, Poland

autor

Topa Paweł

• AGH University of Krakow, al. Mickiewicza 30, 30-059, Krakow, Poland

autor

Faber Łukasz

• AGH University of Krakow, al. Mickiewicza 30, 30-059, Krakow, Poland

Bibliografia

• [1] Ameri M.H., Blocki J., Zhou S.: Computationally data-independent memory hard functions, arXiv preprint arXiv:191106790, 2019.
• [2] Biryukov A., Dinu D., Khovratovich D., Josefsson S.: Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications, RFC 9106, 2021.doi: 10.17487/RFC9106.
• [3] Chen B.: Memory-Hard Functions: When Theory Meets Practice, Ph.D. thesis,UC Santa Barbara, 2019.
• [4] Fleck A.: Cybercrime Expected To Skyrocket in Coming Years, 2024. https://www.statista.com/chart/28878/expected-cost-of-cybercrime-until-2027/.
• [5] Garber L.: Encase: A case study in computer-forensic technology, IEEE Computer Magazine January, 2001.
• [6] Gaur S., Chhikara R.: Memory forensics: tools and techniques, Indian J SciTechnol, vol. 9(48), pp. 1–12, 2016. doi: 10.17485/ijst/2016/v9i48/105851.
• [7] Gupta K., Nisbet A.: Memory forensic data recovery utilising ram cooling methods, 2016.
• [8] Halderman J.A., Schoen S.D., Heninger N., Clarkson W., Paul W., CalandrinoJ.A., Feldman A.J., Appelbaum J., Felten E.W.: Lest we remember: cold-bootattacks on encryption keys, Communications of the ACM, vol. 52(5), pp. 91–98, 2009. doi: 10.1145/1506409.1506429.
• [9] Hausknecht K., Foit D., Burić J.: RAM data significance in digital forensics. In: 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1372–1375, IEEE, 2015.doi: 10.1109/mipro.2015.7160488.
• [10] Hitaj B., Gasti P., Ateniese G., Perez-Cruz F.: PassGAN: A Deep Learning Approach for Password Guessing, 2019. doi: 10.1007/978-3-030-21568-2_11.
• [11] Kävrestad J.: Fundamentals of digital forensics, Springer, 2020. doi: 10.1007/978-3-030-38954-3.
• [12] Leimich P., Harrison J., Buchanan W.J.: A RAM triage methodology for Hadoop HDFS forensics, Digital Investigation, vol. 18, pp. 96–109, 2016. doi: 10.1016/j.diin.2016.07.003.
• [13] Pasquini D., Cianfriglia M., Ateniese G., Bernaschi M.: Reducing Bias in Modeling Real-world Password Strength via Deep Learning and Dynamic Dictionaries. In: 30th USENIX Security Symposium (USENIX Security 21),pp. 821–838, USENIX Association, 2021. https://www.usenix.org/conference/usenixsecurity21/presentation/pasquini.
• [14] Pasquini D., Gangwal A., Ateniese G., Bernaschi M., Conti M.: Improving password guessing via representation learning. In: 2021 IEEE Symposium on Securityand Privacy (SP), pp. 1382–1399, IEEE, 2021. doi: 10.1109/sp40001.2021.00016.
• [15] Percival C., Josefsson S.: The scrypt Password-Based Key Derivation Function, RFC 7914, 2016. doi: 10.17487/RFC7914.
• [16] Ravindra Sali V., Khanuja H.: RAM Forensics: The Analysis and Extraction of Malicious Processes from Memory Image Using GUI Based Memory Forensic Toolkit. In: 2018 Fourth International Conference on Computing Communication Control and Automation (ICCUBEA), pp. 1–6, IEEE, 2018. doi: 10.1109/iccubea.2018.8697752.
• [17] Su X., Larangeira M., Tanaka K.: How to prove work: with time or memory, IEEE Access, vol. 10, pp. 1192–1201, 2022. doi: 10.1109/access.2021.3138497.
• [18] Thomas S., Sherly K., Dija S.: Extraction of memory forensic artifacts from windows 7 ram image. In: 2013 IEEE Conference on Information & Communication Technologies, pp. 937–942, IEEE, 2013. doi: 10.1109/cict.2013.6558230.
• [19] Yu F.: On Deep Learning in Password Guessing, a Survey, 2022.
• [20] Zareen M.S., Waqar A., Aslam B.: Digital forensics: Latest challenges and response. In: 2013 2nd National Conference on Information Assurance (NCIA),pp. 21–29, 2013. doi: 10.1109/NCIA.2013.6725320

Uwagi

Opracowanie rekordu ze środków MNiSW, umowa nr POPUL/SP/0154/2024/02 w ramach programu "Społeczna odpowiedzialność nauki II" - moduł: Popularyzacja nauki (2025).