Katana: Robust, automated, binary-only forensic analysis of linux memory snapshots
F Franzen, T Holl, M Andreas, J Kirsch… - Proceedings of the 25th …, 2022 - dl.acm.org
F Franzen, T Holl, M Andreas, J Kirsch, J Grossklags
Proceedings of the 25th International Symposium on Research in Attacks …, 2022•dl.acm.orgThe development and research of tools for forensically analyzing Linux memory snapshots
have stalled in recent years as they cannot deal with the high degree of configurability and
fail to handle security advances like structure layout randomization. Existing tools such as
Volatility and Rekall require a pre-generated profile of the operating system, which is not
always available, and can be invalidated by the smallest source code or configuration
changes in the kernel. In this paper, we create a reference model of the control and data flow …
have stalled in recent years as they cannot deal with the high degree of configurability and
fail to handle security advances like structure layout randomization. Existing tools such as
Volatility and Rekall require a pre-generated profile of the operating system, which is not
always available, and can be invalidated by the smallest source code or configuration
changes in the kernel. In this paper, we create a reference model of the control and data flow …
The development and research of tools for forensically analyzing Linux memory snapshots have stalled in recent years as they cannot deal with the high degree of configurability and fail to handle security advances like structure layout randomization. Existing tools such as Volatility and Rekall require a pre-generated profile of the operating system, which is not always available, and can be invalidated by the smallest source code or configuration changes in the kernel.
In this paper, we create a reference model of the control and data flow of selected representative Linux kernels. Using this model, ABI properties, and Linux’s own runtime information, we apply a configuration- and instruction-set-agnostic structural matching between the reference model and the loaded kernel to obtain enough information to drive all practically relevant forensic analyses.
We implemented our approach in Katana 1, and evaluated it against Volatility. Katana is superior where no perfect profile information is available. Furthermore, we show correct functionality on an extensive set of 85 kernels with different configurations and 45 realistic snapshots taken while executing popular Linux distributions or recent versions of Android from version 8.1 to 11. Our approach translates to other CPU architectures in the Internet-of-Things (IoT) device domain such as MIPS and ARM64 as we show by analyzing a TP-Link router and a smart camera. We also successfully generalize to modified Linux kernels such as Android.
ACM Digital Library