Mar 2012, Black Hat Europe 2012
https://www.blackhat.com/html/bh-eu-12/bh-eu-12-archives.html#haruyama
https://www.youtube.com/watch?v=HPgHLUVjxBU
Memory forensics is an effective technique to detect malware quickly or extract sensitive user data from RAM. Memory forensics is separated into two parts: memory acquisition and analysis. So far, some anti-acquisition methods were proposed and demonstrated, but there was no sufficient discussion about anti-analysis ones.
This presentation introduces anti-analysis methods based on unconsidered assumptions of the existing analysis tools. By using the methods, attackers can abort memory analysis and make the result empty. Since it's difficult for forensic analysts to figure out the cause from error messages, they must think acquired memory images are simply corrupted. Specifically, anti-analysis methods focus attention on three operations performed in memory analysis. All major analysis tools take several rapid approaches in these operations. If attackers want to make the analysis tools fail with the smallest modification, all they have to do is to modify only one byte of the data structure related to one approach. Of course, the modification has no impact on the running system.
The presentation is made up as follows. First, I show an overview about memory acquisition and analysis such as memory image formats, evaluation of acquisition tools, memory analyzing methods, comparison of analysis tools, and so on. Next, I point out issues of each analysis tool and key structures referred to by it, then I demonstrate all analysis tools fail by modifying data in the structures. Finally, I suggest desired usages for forensic analysts and improvement plans for developers to decrease the risk of anti-analysis methods.