Forensics in Telecommunications, Information, and Multimedia. Third International ICST Conference, e-Forensics 2010, Shanghai, China, November 11-12, 2010, Revised Selected Papers

Research Article

Digital Forensic Analysis on Runtime Instruction Flow

Download260 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-23602-0_15,
        author={Juanru Li and Dawu Gu and Chaoguo Deng and Yuhao Luo},
        title={Digital Forensic Analysis on Runtime Instruction Flow},
        proceedings={Forensics in Telecommunications, Information, and Multimedia. Third International ICST Conference, e-Forensics 2010, Shanghai, China, November 11-12, 2010, Revised Selected Papers},
        proceedings_a={E-FORENSICS},
        year={2012},
        month={10},
        keywords={Digital forensics Dynamic analysis Instruction flow Virtual machine Emulation},
        doi={10.1007/978-3-642-23602-0_15}
    }
    
  • Juanru Li
    Dawu Gu
    Chaoguo Deng
    Yuhao Luo
    Year: 2012
    Digital Forensic Analysis on Runtime Instruction Flow
    E-FORENSICS
    Springer
    DOI: 10.1007/978-3-642-23602-0_15
Juanru Li1,*, Dawu Gu1, Chaoguo Deng1, Yuhao Luo1
  • 1: Shanghai Jiao Tong University
*Contact email: jarod@sjtu.edu.cn

Abstract

Computer system’s runtime information is an essential part of the digital evidence. Current digital forensic approaches mainly focus on memory and I/O data, while the runtime instructions from processes are often ignored. We present a novel approach on runtime instruction forensic analysis and have developed a forensic system which collects instruction flow and extracts digital evidence. The system is based on whole-system emulation technique and analysts are allowed to define analysis strategy to improve analysis efficiency and reduce overhead. This forensic approach and system are applicable to binary code analysis, information retrieval and malware forensics.