Authors: Vassil Roussev, Ph.D. (University of New Orleans), Irfan Ahmed (University of New Orleans), Thomas Sires
DFRWS USA 2014
The correct identification of operating system kernel versions is the first critical step in deep memory analysis enables the precise parsing of the kernel data structures and the correct interpretation of the observed system state. Identifying the exact kernel version is particularly challenging for open source operating systems where kernel upgrades are released frequently, and custom versions can be created on demand. State of the practice approaches, such as Volatility’s, rely on small and fragile signatures; state of the art research work relies on an intricate understanding of architecture-specific implementation details, which limits them to Intel x86 environments, and requires continuous updates to identify the distinguishing characteristics of new kernels. In contrast, our work builds robust signatures based solely on the content of the kernel images on disk and is able to efficiently distinguish among incremental kernel version updates. The approach is entirely content-driven and requires no low-level analysis of the operation of the kernel. It utilizes an approximate matching tool extract kernel fingerprints and can be applied across different architectures without the need to parse and interpret the RAM snapshot. In addition, our evaluation data which contains hundreds of kernels provides insights into the typical levels of content similarity across related kernels.