Picking up the trash: Exploiting generational GC for memory analysis
Saved in:
| Title: | Picking up the trash: Exploiting generational GC for memory analysis |
|---|---|
| Authors: | Pridgen, Adam, Garfinkel, Simson, Wallach, Dan S. |
| Publisher Information: | Elsevier |
| Publication Year: | 2017 |
| Collection: | Rice University: Digital Scholarship Archive |
| Subject Terms: | Memory forensics, Malware analysis, Java, HotSpot JVM, Managed runtimes |
| Description: | Memory analysis is slowly moving up the software stack. Early analysis efforts focused on core OS structures and services. As this field evolves, more information becomes accessible because analysis tools can build on foundational frameworks like Volatility and Rekall. This paper demonstrates and establishes memory analysis techniques for managed runtimes, namely the HotSpot Java Virtual Machine (JVM). We exploit the fact that residual artifacts remain in the JVM's heap to create basic timelines, reconstruct objects, and extract contextual information. These artifacts exist because the JVM copies objects from one place to another during garbage collection and fails to overwrite old data in a timely manner. This work focuses on the Hotspot JVM, but it can be generalized to other managed run-times like Microsoft .Net or Google's V8 JavaScript Engine. |
| Document Type: | article in journal/newspaper |
| File Description: | application/pdf |
| Language: | English |
| Relation: | Pridgen, Adam, Garfinkel, Simson and Wallach, Dan S. "Picking up the trash: Exploiting generational GC for memory analysis." Digital Investigation, 20, no. Supplement (2017) Elsevier: S20-S28. https://doi.org/10.1016/j.diin.2017.01.002.; https://hdl.handle.net/1911/105029; picking-up-trash; https://doi.org/10.1016/j.diin.2017.01.002 |
| DOI: | 10.1016/j.diin.2017.01.002 |
| Availability: | https://hdl.handle.net/1911/105029 https://doi.org/10.1016/j.diin.2017.01.002 |
| Rights: | This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). ; http://creativecommons.org/licenses/by-nc-nd/4.0/ |
| Accession Number: | edsbas.3FA46FB7 |
| Database: | BASE |
Nájsť tento článok vo Web of Science | Abstract: | Memory analysis is slowly moving up the software stack. Early analysis efforts focused on core OS structures and services. As this field evolves, more information becomes accessible because analysis tools can build on foundational frameworks like Volatility and Rekall. This paper demonstrates and establishes memory analysis techniques for managed runtimes, namely the HotSpot Java Virtual Machine (JVM). We exploit the fact that residual artifacts remain in the JVM's heap to create basic timelines, reconstruct objects, and extract contextual information. These artifacts exist because the JVM copies objects from one place to another during garbage collection and fails to overwrite old data in a timely manner. This work focuses on the Hotspot JVM, but it can be generalized to other managed run-times like Microsoft .Net or Google's V8 JavaScript Engine. |
|---|---|
| DOI: | 10.1016/j.diin.2017.01.002 |