Digital Forensics and Cyber Crime. 9th International Conference, ICDF2C 2017, Prague, Czech Republic, October 9-11, 2017, Proceedings

Research Article

Approxis: A Fast, Robust, Lightweight and Approximate Disassembler Considered in the Field of Memory Forensics

  • @INPROCEEDINGS{10.1007/978-3-319-73697-6_12,
        author={Lorenz Liebler and Harald Baier},
        title={Approxis: A Fast, Robust, Lightweight and Approximate Disassembler Considered in the Field of Memory Forensics},
        proceedings={Digital Forensics and Cyber Crime. 9th International Conference, ICDF2C 2017, Prague, Czech Republic, October 9-11, 2017, Proceedings},
        proceedings_a={ICDF2C},
        year={2018},
        month={1},
        keywords={Approximate disassembly Approximate matching Disassembly Binary analysis Memory forensics},
        doi={10.1007/978-3-319-73697-6_12}
    }
    
  • Lorenz Liebler
    Harald Baier
    Year: 2018
    Approxis: A Fast, Robust, Lightweight and Approximate Disassembler Considered in the Field of Memory Forensics
    ICDF2C
    Springer
    DOI: 10.1007/978-3-319-73697-6_12
Lorenz Liebler1,*, Harald Baier1,*
  • 1: University of Applied Sciences
*Contact email: lorenz.liebler@h-da.de, harald.baier@h-da.de

Abstract

The discipline of detecting known and unknown code structures in large sets of data is a challenging task. An example could be the examination of memory dumps of an infected system. Memory forensic frameworks rely on system relevant information and the examination of structures which are located within a dump itself. With the constant increasing size of used memory, the creation of additional methods of data reduction (similar to those in disk forensics) are eligible. In the field of disk forensics, approximate matching algorithms are well known. However, in the field of memory forensics, the application of those algorithms is impractical. In this paper we introduce : an approximate disassembler. In contrary to other disassemblers our approach does not rely on an internal disassembler engine, as the system is based on a compressed set of ground truth x86 and x86-64 assemblies. Our first prototype shows a good computational performance and is able to detect code in large sets of raw data. Additionally, our current implementation is able to differentiate between architectures while disassembling. Summarized, is the first attempt to interface approximate matching with the field of memory forensics.