Prior Publisher
The Association of Digital Forensics, Security and Law (ADFSL)
Abstract
Lossless compression of memory dumps from virtual machines that run malware samples is considered with the goal of significantly reducing archival costs in dynamic-malware-analysis applications. Given that, in such dynamic-analysis scenarios, malware samples are typically run in virtual machines just long enough to activate any self-decryption or other detection- avoidance maneuvers, the virtual-machine memory typically changes little from that of the baseline state, with the difference being attributable in large degree to the loading of additional executables and libraries. Consequently, delta coding is proposed to compress the current virtual-machine memory dump by coding its differences with respect to a predicted memory image formed by loading the same executables and libraries into the baseline memory. Experimental results reveal a significant improvement in compression efficiency as compared to straightforward delta encoding without such predictive executable / library loading.
References
Burrows, M., & Wheeler, D. J. (1994, May). A block-sorting lossless data compression algorithm (Technical Report No. 124). Digital Equipment Corporation.
Egele, M., Scholte, T., Kirda, E., & Kruegel, C. (2012, February). A survey on automatic dynamic malware-analysis techniques and tools. ACM Computing Surveys, 44 (2).
Farmer, D., & Venema, W. (2005). Forensic discovery. Addison-Wesley.
Fowler, J. E. (2000, August). QccPack: An open-source software library for quantization, compression, and coding. In A. G. Tescher (Ed.), Applications of digital image processing xxiii (p. 294- 301). San Diego, CA.
Korn, D. G., MacDonald, J. P., Mogul, J. C., & Vo, K.-P. (2002, June). The VCD- IFF generic differencing and compression data format. RFC 3284.
Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The art of memory forensics: Detecting malware and threats in Windows, Linux, and Mac memory. Wiley.
Microsoft. (2013, February). Microsoft portable executable and common object file format specification. (Rev. 8.3)
Ziv, J., & Lempel, A. (1977, May). A universal algorithm for sequential data compression. IEEE Transactions on Information Theory, 23 (3), 337-343.
Ziv, J., & Lempel, A. (1978, September). Compression of individual sequences via variable-rate coding. IEEE Transactions on Information Theory, 24 (5), 530-536.
Recommended Citation
Fowler, James E. Ph.D.
(2017)
"Compression of Virtual-Machine Memory in Dynamic Malware Analysis,"
Journal of Digital Forensics, Security and Law: Vol. 12
, Article 9.
DOI: https://doi.org/10.15394/jdfsl.2017.1437
Available at:
https://commons.erau.edu/jdfsl/vol12/iss1/9
Included in
Computer Engineering Commons, Computer Law Commons, Electrical and Computer Engineering Commons, Forensic Science and Technology Commons, Information Security Commons
