Authors: Enoch Wang (University of New Haven), Samuel Zurowski (University of New Haven), Orion Duffy (University of New Haven), Tyler Thomas (University of New Haven), and Ibrahim Baggili (University of New Haven)
DFRWS USA 2022
Abstract
V8 is the open source interpreter developed by Google to enable JavaScript (JS) functionality in Chrome, and powers other software used by billions of people. Malicious threat actors abuse the usage of JS because most modern-day browsers implicitly trust script code to execute. To aid in incidence response and memory forensics in such scenarios, our work introduces the first generalizable account of the memory forensics of the V8 JS engine and provides practitioners with a list of objects and their descriptors extracted from a memory image. These objects can be used to reveal key information about a user and their activity. We analyzed the V8 engine and its garbage collection process. We then developed and validated a Volatility plugin – V8MapScan – to reconstruct V8 objects from a memory image. V8MapScan scans process memory for the MetaMap within the V8 isolate and detects objects within the heap. Through the use of object-fitting, we were able to extract objects, object-maps, and the root object map also known as the MetaMap. We were able to reconstruct objects prior to and after garbage collection. Our findings were verified with Chrome DevTool’s Heap Profiler. Our approach recovered a majority of data that resides in V8 and the results showed that were capable of extracting on average over 98.9% of ONE BYTE INTERNALIZED STR type objects from memory.