Feb 15, 2019
Live Forensic Method Using Process Duplication to Maintain High System Availability
- Volume
- 60
- Number
- 2
- First page
- 696
- Last page
- 705
- Language
- Japanese
- Publishing type
- Research paper (scientific journal)
Most conventional digital forensic methods are designed to target hard disk drives, making them ineffective at detecting in-memory malware. In addition, in order to prevent a target system from changing the evidence on hard disk drives, it is necessary to shut down the system or stop its processing, reducing system availability. In this paper, we propose a live forensic method using process duplication to maintain high system availability. The proposed method duplicates the virtual address space of a target process for investigation, and obtains the relevant evidence from the duplicate. By reducing the occurrence of memory copy in the duplication process, it is possible to detect in-memory malware while retaining system availability. We describe the effectiveness of the proposed method, and furthermore, evaluate and report on the delay time when this method is applied to a periodically executing process.
- Link information
-
- CiNii Articles
- http://ci.nii.ac.jp/naid/170000150145
- CiNii Books
- http://ci.nii.ac.jp/ncid/AN00116647
- URL
- http://id.nii.ac.jp/1001/00194307/
- ID information
-
- ISSN : 1882-7764
- CiNii Articles ID : 170000150145
- CiNii Books ID : AN00116647