Materials Today: Proceedings xxx (xxxx) xxx

Contents lists available at ScienceDirect

Materials Today: Proceedings

journal homepage: www.elsevier.com/locate/matpr

Memory forensic: Acquisition and analysis mechanism for operating

systems
Raj Shree a, Ashwani Kant Shukla b,⇑, Ravi Prakash Pandey c, Vivek Shukla d, Diksha Bajpai b
a
PI (CST-UP) Department of Information Technology, Babasaheb Bhimrao Ambedkar University, Lucknow, India
b
Department of Computer Science, Babasaheb Bhimrao Ambedkar University, Lucknow, India
c
IET, Dr. Rammanohar Lohia Avadh University, Ayodhya, India
d
Department of Information Technology, Babasaheb Bhimrao Ambedkar University, Lucknow, India

a r t i c l e i n f o a b s t r a c t

Article history: Memory forensics is also known as memory analysis, which deals with the estimation of the changeable
Received 24 March 2021 data in a system memory repository. In order to investigate and detect the attacks, the professionals per-
Received in revised form 24 April 2021 form the memory forensics to interpret the nature of the malware i.e. do not easily traceable on hard
Accepted 12 May 2021
drive data. Due to the daily advancement in technological landscape the memory forensic mechanism
Available online xxxx
is emerging trends because the nature of the attacks changing drastically. The general developed defense
mechanisms such as anti-malware are not enough capable to deal with the computer threats. Therefore,
Keywords:
the latest defense mechanism is directly embedded into the physical memory like RAM and opens the
Cybercrime
Memory acquisition
valuable scope of the memory forensic. From last a few decades, the technology and cybercrimes paral-
Memory analysis lelly growing drastically. There are multiple reasons to perform the cyber attacks such as theft and harm
Memory forensic methods the sensitive military data, targeting to ruin the energy system, identity theft of trade secrets, and cyber
Cybersecurity defamation. Memory-based forensic techniques are becoming very instrumental in digital investigations.
This objective of this paper is to help and make it easy to understand the investigator in the process of the
developing tools and techniques by considering different aspects of memory analysis and investigation.
Ó 2021 Elsevier Ltd. All rights reserved.
Selection and peer-review under responsibility of the scientific committee of the 1st International Con-
ference on Computations in Materials and Applied Engineering – 2021.

1. Introduction avoids the exercise system 0 processes of the client fields. In case
of client use case to employ the sensitive elements of the OS get
In general, the modern approaches of the operating systems swapped from client state to kernel state with the help of the
which influences the strategies of the memory analysis cum inves- appropriate system calls [20]. For analyzing the behaviors of mal-
tigation and address the ordinary characteristics in three commer- ware, it required a quite robust mechanism and obtained conse-
cial operating systems such as Microsoft Windows, Linux, and Mac quences can assist in the development of the secure systems. The
OSX [19]. The isolation gets enforced by the IA-32 processor archi- system performs either an application interrupt or specified-
tecture by implementing the four authorization phases which is framework instruction in order to design a system call. Also, it
ordinary cited as security exercise system [1]. Commonly, the inte- stores the schedule framework of the client state then gets trans-
gration of the kernel mode is always in user mode in security exer- formed into kernel state from process state by initializing the ker-
cise system 0 which consider as extreme sensitive and security nel stack and system calls. For creating, interrupting, and
exercise system 3 consider as low sensitive in every popular oper- terminating the processes that can be only deal by the operating
ating systems. In kernel mode, the moment when processor is start system. Due to technological advancement the latest operating
getting execute the instruction is unbounded in the elementary systems have the extreme characteristics known as multiprogram-
hardware whereas it consist of sensitive code and kernels. The exe- ming that is facilities to execute the multiple processes simultane-
cution memory fields instead of new devices with SMEP that ously. In order to execute the set of instructions, it creates a new
process by integrating self components such as process id and
address space. The address space functions as repository of the
⇑ Corresponding author.
process to store the user instructions, shared libraries, dynamic
E-mail address: [email protected] (A. Kant Shukla).

https://doi.org/10.1016/j.matpr.2021.05.270
2214-7853/Ó 2021 Elsevier Ltd. All rights reserved.
Selection and peer-review under responsibility of the scientific committee of the 1st International Conference on Computations in Materials and Applied Engineering – 2021.

Please cite this article as: R. Shree, A. Kant Shukla, R. Prakash Pandey et al., Memory forensic: Acquisition and analysis mechanism for operating systems,
Materials Today: Proceedings, https://doi.org/10.1016/j.matpr.2021.05.270
R. Shree, A. Kant Shukla, R. Prakash Pandey et al. Materials Today: Proceedings xxx (xxxx) xxx

data, and runtime stack. For allocating, deploying, and managing 2.1. Hardware-based techniques
the physical memory in operating system can be done by the effi-
cient use of the memory management [2]. There are various oper- 2.1.1. Steady hardware
ating systems get optimized its interfaces by considering as files In the process of investigation to obtain the memory sample
because it is very hard to predict the system types where users from victim system the steady hardware approaches get installed
connect with the system. A kernel function known as device driver in the physical devices. In [5,23], has proposed a device which is
get employed by operating system as a driver to broaden the ker- known as Tribble. Significantly, it has a greater potential to achieve
nel potential to assist new devices [3]. (See Fig. 1). a physical memory preview sample without making interface to OS
running in victim system. Before performing the memory forensic
steps the tribal devices must be initiated because once it get acti-
vated in the host system is interrupted to block the malware dur-
ing the process of memory imaging. Thereafter, it is
comprehensively dumping the memory and control gets returned
to host operating system (HOS).
2. Memory acquisitions

The memory acquisitions processes employed to preview the 2.1.2. Hardware bus
volatile memory representations from victim systems either by There are various hardware bus mechanism has already been
hardware-based or software-based implications. In software- developed to transfer the data within the network efficiently such
based implications, the process of capturing memory is anticipated as such as PCI, USB, and FireWire. The FireWire hardware bus, effi-
on the operating system. In hardware-based implications, the ciently employ to access the machine insecure memory in memory
memory acquisition has been advised very efficient mechanism acquisition. In the beginning, the Hess mechanism employs for the
because it is hard to find comprehensive and precise memory Mac OSX and Linux-based systems thereafter it starts functioning
transparency using software [21]. with windows operating systems. Thus, there are various feature-
The accuracy and consistency is a two significant parameter based FireWire bus is available to facilitate the abstract the raw
which affirm that the obtained image is a precise sample of the physical memory from machine [6].
host memory. In [4], it states that if the result is not guaranteed
to be reliable, then the memory should not be there at all. This is 2.2. Software-based techniques
because if the manipulation of the memory image yields incorrect
information, the information obtained after evaluation which may 2.2.1. Virtualization
leads the investigation in wrong directions. Using the availability Virtualization is responsible for separating and makes the
technique to find out whether the technology should operate arbi- dependable environments for transmission system like virtual
trarily on systems and without adapting the some higher technol- machine (VMs) that function within a host machine. In order to
ogy to translate the significant parts of the devices in operating save the volatile memory data of VMware-based virtual machine
system [22]. under the extension of either .vmem or .vmss in host machine run-

Fig. 1. Measure the Efficacy of Acquisition Techniques in Memory Forensics Process [4].

2
R. Shree, A. Kant Shukla, R. Prakash Pandey et al. Materials Today: Proceedings xxx (xxxx) xxx

ning directory. Regarding the environments, it is employing in both less because of the dedicated hardware platforms dependency, sin-
virtualization and memory acquisition highly atomic and available gle processor execution, and higher latency rate [10].
efficiently [7]. Also, it makes the virtualization-based techniques is
extremely evaluation functional for memory analysis as well as 2.3. Cold booting technique
memory acquisition techniques [24].
In [13] has defined which showed in Fig. 2 the three basic steps
2.2.2. Crash dump for acquiring the data from volatile memory. (See Figs. 3 and 4).
Unusually, if the machine stops working the windows OS has
ability to program that update a file to memory dump. The system
3. Memory analysis mechanism
state and main memory gets trapped is subject to the adverse
machine dump and rest of the CPU information is stored in the
The memory forensic analyst focused to search the binary
machine registry for later analysis. In order to perform the memory
images for text information such as user credentials using com-
forensic [25], it is quite essential to ensure the software get crashed
mand line like strings, Grep [7], and some other commonly tools
by enforcing the preliminary settings using third-party application
employed to fragment the files from raw data. Moreover, it assists
or editing the registry such as right-Ctrl + scroll lock + scroll lock
to reacquire al the leftover information in memory in case got
crash dump. In the windows OS directory must be changed by
deleted memory addresses which has not been exaggerated yet.
allowing the physical crash dump technique due to the limitation
Significantly, it is user-friendly but parallelly develops the error
of the techniques. Additionally, the crash dump machine may over-
datasets as a result needs substantial costs and responsible to
look the parts of the page file, which may minimize the total avail-
increase the higher which leads to the false positives (FP) [11].
able evidence volume [8].
There are multiple research has been done recently to retrieve
the significant information from memory by replacing the manual
2.2.3. User-mode exercise
searching mechanism through automation or naïve techniques [7].
PMDump [9] tool essentially assists the investigators to evalu-
The latest mechanism has the greater ability to find out the nature,
ate the memory address of a victim machine and obtain the source
characteristics, and address of data stored in memory. Fig. 2 repre-
address of single instance from the RAM. Significantly, it is com-
sents the most common types of mechanism developing by
pleting the execution quite rapidly and only controlling the consid-
researchers that significantly assists to retrieve the data.
eration of process in memory address. In addition, the user-mode
applications are that they are characterized by high availability
3.1. Process and thread analysis
(HA) [26]. The corresponding devices can be executed with the
help of the external flash drive to reduce the machine deficiency
The windows operating system maintains a list of memory and
and proposed to deal with the windows-based OS. Similarly, due
EPROCESS structures to help schedule and execute programs. Ini-
to the set of protocols it considered as the primarily cons of the
tial attempts to extract the state of a system are based on the con-
dedicated software-based solutions which must be installed into
cept of computing lists of processes and threads created in areas
RAM to function. Consequently, user-mode exercises are not frag-
such as process control blocks (PCBs) in a memory image [12].
mentary while capturing memory from the victim machine. Addi-
These list-running techniques are able to extract a list of currently
tionally, the client applications are rely on the OS-based
executed processes and threads associated with memory to help
characteristic which leads to make the machine vulnerable and
provide a snapshot of the system with RAM. However, when these
as a results attempt to exploit the threats. Conclusively, the pre-
techniques compute through lists created by the kernel, the results
vailing fragmentary of such techniques is particularly dubious in
of the analysis can be truncated through techniques such as direct
order to capturing memory from the victim machine that possibly
kernel object manipulation (DKOM). The limitations of compute-
running virus [27].
style approaches to computation and thread analysis have led to
the development of signature-based scanning of memory which
2.2.4. Kernel-mode exercise
uses a set of rules to accurately describe the system process or
The industrialist and researchers are significantly giving the
thread’s structure.
attention on implementing the robust kernel-mode software and
applications that can be employed to make forensic copies of
RAM in order to deal with the user-mode exercise deficiency [7]. 3.2. Cryptographic key analysis
The OS keep creating the new process and thread resources while
executing and capable to modify the memory despite that an appli- The memory images analysis, it is employed to obtain the cryp-
cation is a kernel-mode driver. Also, these mechanisms are exploit- tographic keys which are responsible to give the opportunity to use
ing the threats in OS interoperability as per user-mode applications
exercise. As a result, the availability issues occurred in kernel-
based mechanisms whenever it needs administrator privileges. In
such case the investigator advanced users privilege authorizing
to install a driver-based mechanism on machine [28].

2.2.5. Operating system injection

In [10] a memory acquisition technique named as BodySnatcher
has proposed i.e. enable the facilities to efficiently deal with the
critical issues using software-based mechanism [10]. It gets
installed into the victim machine kernel as an independent OS.
The primarily robustness of the proposed tools i.e. not rely on
the victim OS has been uninstalled or not because it has self set
of characteristics. Despite the fact that the efficiency of the pro-
posed technique prompting the atomic memory images. There
are certain limitation has been observed that its availability is very Fig. 2. Three Basic Steps for Acquiring Data from Volatile Memory [13].

3
R. Shree, A. Kant Shukla, R. Prakash Pandey et al. Materials Today: Proceedings xxx (xxxx) xxx

Fig. 3. The Most Common Types of Researchers are Developing Techniques to extract [11].

Fig. 4. Signature-based Volatile Memory Forensics [12].

the encrypted data on the machine. It ensures that the capturing Due to the limitation of windows kernel i.e. not delicately able to
volatile memory is quite significant because it gives only the pos- deal with TCP/IP transmission in such scenario the command line
sible way to access the devices Full-disk encryption (FDE). The ele- tcpip.sys has used to perform in memory. After running the tools
mentary techniques such as pulling the plug which is facilitate once in PDB files of physical memory the analyst attempt to obtain
with the encryption keys and assist to retrieve the out-of-reach all possible relative notation by extracting the information which
encrypted data in memory. Also, it has potential to restore True- helps to determine the active TCP establishment from vulnerable
Crypt password from memory image which has employed to memory figment. The analysis mechanisms provide the best facil-
encrypt the complete disk volume. Moreover, the mechanism ity in-depth analysis about the relative data and incidence
proves that the possible way of capturing data which assists to occurred in memory [30].
decrypt the information in terms of given password value [29].

3.4. Open file analysis

3.3. Network analysis
The open file analysis techniques are exploiting the virtual
The greater characteristics of the memory images which facili- address descriptor in-short known as VAD structure which assists
tate to understand the internal architecture of the machine net- to uncover the files and objects. The preliminary function of the
work connectivity by assisting to retrieve the data process from VAD to continuously monitoring the assigned memory scale and
the memory in local and remote socket addresses (RSA) of active it data structure gets stimulated by the kernel [13]. Moreover,
network connections. Additionally, it is implemented to Microsoft the running segment which directed to the multiple file instances
program database (MSPDB) which assists to distinguish the data which facilitate to the investigator after analysing the multiple ele-
structures along with notation i.e. implemented for the practice. ments of the VAD structure. In memory forensic, the open file anal-
4
R. Shree, A. Kant Shukla, R. Prakash Pandey et al. Materials Today: Proceedings xxx (xxxx) xxx

ysis play a very significant role because it facilitate to generate logs 4.2. Dynamic analysis
about the files which any read or write operation gets performed
by the specific users. Further, it helps for analysing the victim In order to deal with the malware the dynamic-based analysis
machine using in-depth defense mechanism. mechanism further gets classified into two parts such as basic
dynamic analysis and advanced dynamic analysis. In basic dynamic
analysis, it is singly run and monitored the nature of the malware
3.5. System state analysis in laboratory [11]. Likewise in advanced dynamic analysis, the lab-
oratory and debugger suppose to be present for observing the nat-
In order to restructure the machine states and deleting the ure of the malicious software [12]. While performing the anti-
unnecessary objects which gets identified in memory figment facil- defense mechanism it can take long time because it needs to
itates by the system state analysis. Before the seizer of the victim acquire the additional knowledge about the malware and the pro-
machine, it is quite necessary to generate the logs which assist in fessional robustly know about the self-modifying code and packers
analysing that operation gets performed by the user during the operations. For example, once the malware get identified and
incidence occurred in huge volume of data structure using differ- attempt to debug the software possibly it gets modified by itself
ent system state analysis techniques. In [16] has developed the [13]. Moreover, the malware can generate the duplicate data and
mechanism to retrieve the data from RAM to windows notepad make more complex patches when it gets attempted to modified
because during the forensic analysis it always get overlooked by [14].
the professional by not considering as a digital proof such as user
credentials, copied documents, and bookmarks, etc. which might 4.3. Malware forensics
leads towards the conclusion.
The purpose to perform the real-time forensics process is to col-
lect the major information to the victim machine because some of
3.6. Analysis tools the information stored in the system on temporary basis such as
RAM [15]. Possibly, the volatile data holds the salient information
The analysis tools are playing a quite significant role in forensic which needs to decrypt performing either static or dynamic analy-
analysis by facilitating the multiple features which make it easy to sis. In the malware analysis, the efficient collection of the data
collect the evidence precisely from volatile memory figments. always plays a very significant role such as for making easy inter-
Nowadays, the free open-source software in-short known as FOSS pretation, scientifically correlated the data, nature and affect which
and commercialized software providing the free and efficient leads towards the conclusion. In addition, for maintaining the
hands to investigator for dedicatedly reach to the results. Such as integrity of the data it needs to create the hash.
the FOSS given the more opportunities for research about the nat-
ure of threats whereas commercialized software greater assistance 4.4. Streamline malware analysis
in digital forensic. There are the few frequent techniques and char-
acteristics have discussed below: In malware analysis, the most challenging task when the data
gets collected by the non-professional that’s why data always has
 Moonsol for windows memory toolkit been collected by the professional due to its significancy because
 Responsible (professional and community) from HB Gary the experts best practices and knowledge make it easy to decide
 Mandatory memory the level of significancy.
 Instability outlines from unstable systems
4.4.1. Determine the effective approach
In malware analysis, the most primarily steps always needs to
4. Malware analysis using memory forensic
follow that to collect the victim machine information either in run-
ning or shut down mode. While collecting the data from the victim
In memory forensic, there are two conventional popular mech-
machine it needs to avoid the conventional data collection tech-
anisms such as static analysis and dynamic analysis which is fre-
niques. There are some data in machine gets stored temporarily
quently using for the analysis of the malware in real time [7].
such as RAM i.e. itself stored the most significant data so the best
way to collect the while the machine is in running mode. In case
the advanced static or dynamic analysis performs later stages it
4.1. Static analysis
is not suppose to affect the operation of the malware forensics [18].
Static analysis is the mechanism to analyze the digital informa-
tion without running it. It is one of the simplest methods which 4.4.2. Information needs to be collected
run and facilitate to delete metadata integrated with the malicious In memory forensic, the information needs to be collected has
information. Also, it is preserve the important data with addition of been discussed in Fig. 5 [17].
providing required data which assists to determines dedicated
loopholes and reach to the conclusion [8,10]. Moreover, it facili- 5. Conclusion
tates to retrieve the identification structure such as Windows API
calls, string signature, control flow graph (CFG), operation codes Memory forensics provides the best way of the understandings
frequency, and byte sequence n-grams. The strings tools can be about the machine activities into dynamic environment such as
used to easily identify the attacker objectives because it usually open network connections, recently runned commands, and pro-
contains the significant lexical information and known as malware cesses. In the machine memory, the critical information related
essence alert system. A CFG called the directed graph which helps to threats or attacks are usually stored in multiple cases. Due to
to represent the flowchart of the software. It is play a quite signif- daily advancement in the technological landscape the techniques
icant role in malicious identification which is precisely analyze the of exploiting the threats also growing parallelly and become more
nature of exe file and assist to retrieve the software design. N- challenging task to prevent the operating system with such attacks
grams are contiguous results of an order of length n. as a results the memory forensic techniques becomes quite popu-
5
R. Shree, A. Kant Shukla, R. Prakash Pandey et al. Materials Today: Proceedings xxx (xxxx) xxx

Fig. 5. Information needs to be collected [17].

lar and drawing the attention of the professional and researcher as [8] Symantec (2017) ‘Internet Security Threat Report’, 22(April). Available at:
https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-
well. Recently, there are some security mechanism has been inte-
2017-en.pdf.
grated with memory forensic nature analysis techniques. These [9] K. Tam, CopperDroid: Automatic Reconstruction of Android Malware
tools have the greater potential to precisely deal with the malware Behaviors, in: Proceedings 2015 Network and Distributed System Security
such as rootkits, zero-days attacks, and other relative information Symposium. Reston, VA: Internet Society, 2015, pp. 8–11. doi: 10.14722/
ndss.2015.23145.
in machine physical memory. The major finding during the study [10] A. Case, G.G. Richard, Memory forensics: The path forward, Digital Invest. 20
is that there are many network related defense mechanism such (2017) 23–33, https://doi.org/10.1016/j.diin.2016.12.004.
as firewalls and antivirus tools are still needs to be enhanced [11] V. Ravindra Sali, H.K. Khanuja, RAM Forensics: The Analysis and Extraction of
Malicious Processes from Memory Image Using GUI Based Memory Forensic
because the potential of the malware is directly gets executed in Toolkit, in: 2018 Fourth International Conference on Computing
physical memory or RAM. Communication Control and Automation (ICCUBEA), Pune, India, 2018, pp.
1–6, https://doi.org/10.1109/ICCUBEA.2018.8697752.
[12] Arjun Chetry, Uzzal Sharma, Memory Forensics Analysis for Investigation of
CRediT authorship contribution statement Online Crime - A Review, in: 2019 6th International Conference on Computing
for Sustainable Global Development (INDIACom), 2019, pp. 40–45.
[13] R.A. Awad, J. López, M. Rogers, Volatile Memory Extraction- Based Approach
Raj Shree: Experimental work, Testing, Paper writing. Ashwani for Level 0–1 CPS Forensics, in: 2019 IEEE International Symposium on
Kant Shukla: Testing, Characterization. Ravi Prakash Pandey: Technologies for Homeland Security (HST), 2019, pp. 1–6.
[14] R.A. Awad, J.M. Saeed Beztchi, B Lyles Smith, S. Prowell, Tools, Techniques, and
Experimental work, Testing, Paper writing. Vivek Shukla: Testing,
Methodologies: A Survey of Digital Forensics for SCADA Systems, ICSS 18,
Characterization. Diksha Bajpai: Testing , Characterization. 2018.
[15] M. Gruhn, F.C. Freiling, Evaluating atomicity, and integrity of correct memory
acquisition methods, Digital Invest. 16 (2016) S1–S10.
Declaration of Competing Interest [16] Latzo, Tobias, Julian Brost, F. Freiling. ‘‘BMCLeech: Introducing Stealthy
Memory Forensics to BMC, 2020.
The authors declare that they have no known competing finan- [17] R. Palutke, F. Freiling, Styx: Countering robust memory acquisition, Digit.
Investig. 24 (2018) S18–S28.
cial interests or personal relationships that could have appeared [18] F. Freiling, T. Grob, T. Latzo, T. Muller, R. Palutke, Advances in Forensic Data
to influence the work reported in this paper. Acquisition, IEEE Des. Test 35 (5) (2018) 63–74.
[19] WindowsITPro, 2016. Understanding Compressed Memory in Windows 10
Anniversary Edition. http://windowsitpro.com/windows-10/understanding-
References compressedmemory-windows-10-anniversary-edition.
[20] Lookout, 2016. Sophisticated, Persistent Mobile Attack against High-value
[1] O.M. Adedayo, Big data and digital forensics: Rethinking digital forensics, Targets on IoS. https://blog.lookout.com/blog/2016/08/25/trident-pegasus/.
Proceedings of IEEE International Conference on Cybercrime and Computer [21] A. Ionescu, What are little patchguards made of? 2015, http://www.alex-
Forensic, 2016. ionescu. com/?-290.
[2] N.M. Karie, H.S. Venter, Taxonomy of challenges for digital forensics, J. Forensic [22] Kernel patch protection, 2016. https://en.wikipedia.org/wiki/Kernel_Patch_
Sci. 60 (4) (2015) 885–893. Protection.
[3] M. Losavio, K.C. Seigfried-Spellar, J.J. Sloan, Why digital forensics is not a [23] Schneier, B., 2016. Ddos Attacks Against dyn. https://www.schneier.com/blog/
profession and how it can become one, Crim. Justice Stud. 29 (2) (2016) 143– archives/2016/10/ddos_attacks_ag.html.
162. [24] SecureList, 2015. The Rise of.net and Powershell Malware. https://
[4] S. Zawoad, R. Hasan, A Trustworthy Cloud Forensics Environment, IFIP Adv. Inf. securelist.com/ blog/research/72417/the-rise-of-net-and-powershell-
Commun. Technol. – Adv. Digital Forensic. XI (2015) 271–285, https://doi.org/ malware/.
10.1007/978-3-319-24123-4_16. [25] The increased use of powershell in attacks, 2016. https://www.overleaf.com/
[5] C. Zoubek, K. Sack, Selective deletion of non-relevant data, in: Digital 6919029ggkynfmkjvss#/23651472/.
Investigation, Elsevier, 2017, pp. S92–S98, https://doi.org/10.1016/j. [26] The Volatility Framework: Volatile Memory Artifact extraction Utility
diin.2017.01.006. Framework, 2016. https://github.com/volatilityfoundation/volatility.
[6] D. Walnycky, I. Baggili, A. Marrington, J. Moore, F. Breitinger, Network and [27] theiphonewiki, 2016. Malware for ios. https://www.theiphonewiki.com/wiki/
device forensic analysis of Android social-messaging applications, in: Digital Malware_for_iOS#Tools_used_by_governments_.28and_similar.29_to_target_
Investigation, Elsevier Ltd, 2015, pp. S77–S84, https://doi.org/10.1016/j. individuals.
diin.2015.05.009. [28] ThreatPost, 2016. Mirai-fueled iot Botnet Behind ddos Attacks on dns
[7] G. Tolomei et al., Interpretable Predictions of Tree-based Ensembles via Providers. https://threatpost.com/mirai-fueled-iot-botnet-behind-ddos-
Actionable Feature Tweaking, in: Proceedings of the 23rd ACM SIGKDD attacks-on-dnsproviders/121475/.
International Conference on Knowledge Discovery and Data Mining - KDD ’17, [29] Volexity, Powerduke: Widespread Post-election Spear Phishing Campaigns
2017, pp. 465–474, https://doi.org/10.1145/3097983.3098039. Targeting Think Tanks and ngos, 2016. https://www.volexity.com/blog/2016/

6
R. Shree, A. Kant Shukla, R. Prakash Pandey et al. Materials Today: Proceedings xxx (xxxx) xxx

11/09/ powerduke-post-election-spear-phishing-campaigns-targeting-think- Further Reading

tanksand-ngos/.
[30] P. Wachter, M. Gruhn, Practicability study of android volatile memory forensic
[1] T. Latzo, R. Palutke, F. Freiling, A universal taxonomy and survey of forensic
€ research, in: Information Forensics and Security (WIFS), IEEE International
memory acquisition techniques, Digit. Investig. 28 (2019) 56–69.
Workshop on IEEE, 2015, pp. 1–6.
[2] A. Sokolov, A. Barinov, I. Antyasov, S.V. Skurlaev, M. Ufimtcev, V.S. Luzhnov,
Hardware-Based Memory Acquisition Procedure for Digital Investigations of
Security Incidents in Industrial Control Systems, in: 2018 Global Smart
Industry Conference (GloSIC), 2018, pp. 1–7.