Visible to the public A tool to compute approximation matching between windows processes

TitleA tool to compute approximation matching between windows processes
Publication TypeConference Paper
Year of Publication2018
AuthorsRodríguez, R. J., Martín-Pérez, M., Abadía, I.
Conference Name2018 6th International Symposium on Digital Forensic and Security (ISDFS)
KeywordsApproximation algorithms, approximation matching algorithms, Binary codes, bytewise approximate matching, composability, cryptographic hash values, cryptographic hashing functions, cryptography, digital forensics scenarios, dumping process, executable file, file organisation, forensic analysis, forensic memory analysis, Forensics, forensics memory image, Image forensics, image matching, Malware, memory image file, Metrics, Microsoft Windows, Microsoft Windows (operating systems), pubcrawl, Resiliency, Tools, volatility, Windows, Windows memory dump, Windows Operating System Security, windows processes
AbstractFinding identical digital objects (or artifacts) during a forensic analysis is commonly achieved by means of cryptographic hashing functions, such as MD5, SHA1, or SHA-256, to name a few. However, these functions suffer from the avalanche effect property, which guarantees that if an input is changed slightly the output changes significantly. Hence, these functions are unsuitable for typical digital forensics scenarios where a forensics memory image from a likely compromised machine shall be analyzed. This memory image file contains a snapshot of processes (instances of executable files) which were up on execution when the dumping process was done. However, processes are relocated at memory and contain dynamic data that depend on the current execution and environmental conditions. Therefore, the comparison of cryptographic hash values of different processes from the same executable file will be negative. Bytewise approximation matching algorithms may help in these scenarios, since they provide a similarity measurement in the range [0,1] between similar inputs instead of a yes/no answer (in the range 0,1). In this paper, we introduce ProcessFuzzyHash, a Volatility plugin that enables us to compute approximation hash values of processes contained in a Windows memory dump.
Citation Keyrodriguez_tool_2018