A Comprehensive Quantification of Inconsistencies in Memory Dumps
- URL: http://arxiv.org/abs/2503.15065v2
- Date: Mon, 28 Jul 2025 13:11:18 GMT
- Title: A Comprehensive Quantification of Inconsistencies in Memory Dumps
- Authors: Andrea Oliveri, Davide Balzarotti,
- Abstract summary: We develop a system to track all write operations performed by the OS kernel during a memory acquisition process.<n>We quantify how different acquisition modes, file systems, and hardware targets influence the frequency of kernel writes during the dump.
- Score: 13.796554685139855
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Memory forensics is a powerful technique commonly adopted to investigate compromised machines and to detect stealthy computer attacks that do not store data on non-volatile storage. To employ this technique effectively, the analyst has to first acquire a faithful copy of the system's volatile memory after the incident. However, almost all memory acquisition tools capture the content of physical memory without stopping the system's activity and by following the ascending order of the physical pages, which can lead to inconsistencies and errors in the dump. In this paper we developed a system to track all write operations performed by the OS kernel during a memory acquisition process. This allows us to quantify, for the first time, the exact number and type of inconsistencies observed in memory dumps. We examine the runtime activity of three different operating systems and the way they manage physical memory. Then, focusing on Linux, we quantify how different acquisition modes, file systems, and hardware targets influence the frequency of kernel writes during the dump. We also analyze the impact of inconsistencies on the reconstruction of page tables and major kernel data structures used by Volatility to extract forensic artifacts. Our results show that inconsistencies are very common and that their presence can undermine the reliability and validity of memory forensics analysis.
Related papers
- RMBench: Memory-Dependent Robotic Manipulation Benchmark with Insights into Policy Design [77.30163153176954]
RMBench is a simulation benchmark comprising 9 manipulation tasks that span multiple levels of memory complexity.<n>Mem-0 is a modular manipulation policy with explicit memory components designed to support controlled ablation studies.<n>We identify memory-related limitations in existing policies and provide empirical insights into how architectural design choices influence memory performance.
arXiv Detail & Related papers (2026-03-01T18:59:59Z) - MemoryArena: Benchmarking Agent Memory in Interdependent Multi-Session Agentic Tasks [55.145729491377374]
Existing evaluations of agents with memory typically assess memorization and action in isolation.<n>We introduce MemoryArena, a unified evaluation gym for benchmarking agent memory in multi-session Memory-Agent-Environment loops.<n> MemoryArena supports evaluation across web navigation, preference-constrained planning, progressive information search, and sequential formal reasoning.
arXiv Detail & Related papers (2026-02-18T09:49:14Z) - First Steps, Lasting Impact: Platform-Aware Forensics for the Next Generation of Analysts [0.0]
Disk and memory forensic acquisition techniques across samples representing Windows and Linux systems.<n>Windows typically supports reliable disk imaging and analysis through established tools such as FTK Imager and Autopsy/Sleuth Kit.<n> Linux environments, which rely on file systems like ext4 and XFS, generally offer greater transparency.<n>Memory analysis on Linux systems benefits from tools like LiME, snapshot utilities, and dd for memory acquisition.
arXiv Detail & Related papers (2026-01-29T19:43:46Z) - Valori: A Deterministic Memory Substrate for AI Systems [0.0]
Valori is a deterministic AI memory substrate that replaces floating-point memory operations with fixed-point arithmetic.<n>We show how Valori enforces determinism at the memory boundary.<n>Our results suggest that deterministic memory is a necessary primitive for trustworthy AI systems.
arXiv Detail & Related papers (2025-12-25T06:04:04Z) - Agentic Learner with Grow-and-Refine Multimodal Semantic Memory [50.81667005063605]
ViLoMem is a dual-stream memory framework that constructs compact, schema-based memory.<n>It encodes visual distraction patterns and logical reasoning errors, enabling MLLMs to learn from their successful and failed experiences.
arXiv Detail & Related papers (2025-11-26T18:55:08Z) - Multiple Memory Systems for Enhancing the Long-term Memory of Agent [9.43633399280987]
Existing methods, such as MemoryBank and A-MEM, have poor quality of stored memory content.<n>We have designed a multiple memory system inspired by cognitive psychology theory.
arXiv Detail & Related papers (2025-08-21T06:29:42Z) - RX-INT: A Kernel Engine for Real-Time Detection and Analysis of In-Memory Threats [0.0]
We present RX-INT, a kernel-assisted system featuring an architecture that provides resilience against TOCTOU attacks.<n> RX-INT introduces a detection engine that combines a real-time thread creation monitor with a stateful Virtual Address Descriptor (VAD) scanner.<n>In our evaluation, RX-INT successfully detected a manually mapped region that was not identified by PE-sieve.
arXiv Detail & Related papers (2025-08-05T19:43:25Z) - LeakGuard: Detecting Memory Leaks Accurately and Scalably [3.256598917442277]
LeakGuard is a memory leak detection tool which provides satisfactory balance of accuracy and scalability.
For accuracy, LeakGuard analyzes the behaviors of library and developer-defined memory allocation and deallocation functions.
For scalability, LeakGuard examines each function of interest independently by using its function summary and under-constrained symbolic execution technique.
arXiv Detail & Related papers (2025-04-06T09:11:37Z) - Bridging the Semantic Gap in Virtual Machine Introspection and Forensic Memory Analysis [0.6372911857214884]
"Semantic Gap" is the difficulty of interpreting raw memory data without specialized tools and expertise.<n>We investigate how a priori knowledge, metadata and engineered features can aid VMI and FMA.<n>Our methods show that having more metadata boosts performance with all methods obtaining an F1-Score of over 80%.
arXiv Detail & Related papers (2025-03-07T14:51:32Z) - SHIELD: Secure Host-Independent Extensible Logging for Tamper-Proof Detection and Real-Time Mitigation of Ransomware Threats [17.861324495723487]
SHIELD is a detection architecture leveraging FPGA-based open-source SATA and Network Block Device technology.
It provides off-host, tamper-proof measurements for continuous observation of disk activity for software executing on a target device.
SHIELD's robust host-independent and hardware-assisted metrics are a basis for detection, allowing to observe program execution and detect malicious activities at the storage level.
arXiv Detail & Related papers (2025-01-28T01:33:03Z) - Blindfold: Confidential Memory Management by Untrusted Operating System [1.4801853435122903]
Existing Confidential Computing (CC) solutions hide confidential memory from the OS and/or encrypt it to achieve confidentiality.<n>This paper presents our results toward overcoming these limitations, synthesized in a CC design named Blindfold.<n>Blindfold relies on a small trusted software component running at a higher privilege level than the kernel, called Guardian.
arXiv Detail & Related papers (2024-12-02T02:40:05Z) - GuardFS: a File System for Integrated Detection and Mitigation of Linux-based Ransomware [8.576433180938004]
GuardFS is a file system-based approach to investigate the integration of detection and mitigation of ransomware.
Using a bespoke overlay file system, data is extracted before files are accessed.
Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system.
arXiv Detail & Related papers (2024-01-31T15:33:29Z) - Black-box Unsupervised Domain Adaptation with Bi-directional
Atkinson-Shiffrin Memory [59.51934126717572]
Black-box unsupervised domain adaptation (UDA) learns with source predictions of target data without accessing either source data or source models during training.
We propose BiMem, a bi-directional memorization mechanism that learns to remember useful and representative information to correct noisy pseudo labels on the fly.
BiMem achieves superior domain adaptation performance consistently across various visual recognition tasks such as image classification, semantic segmentation and object detection.
arXiv Detail & Related papers (2023-08-25T08:06:48Z) - Recurrent Dynamic Embedding for Video Object Segmentation [54.52527157232795]
We propose a Recurrent Dynamic Embedding (RDE) to build a memory bank of constant size.
We propose an unbiased guidance loss during the training stage, which makes SAM more robust in long videos.
We also design a novel self-correction strategy so that the network can repair the embeddings of masks with different qualities in the memory bank.
arXiv Detail & Related papers (2022-05-08T02:24:43Z) - Memory-Guided Semantic Learning Network for Temporal Sentence Grounding [55.31041933103645]
We propose a memory-augmented network that learns and memorizes the rarely appeared content in TSG tasks.
MGSL-Net consists of three main parts: a cross-modal inter-action module, a memory augmentation module, and a heterogeneous attention module.
arXiv Detail & Related papers (2022-01-03T02:32:06Z) - Kernel Continual Learning [117.79080100313722]
kernel continual learning is a simple but effective variant of continual learning to tackle catastrophic forgetting.
episodic memory unit stores a subset of samples for each task to learn task-specific classifiers based on kernel ridge regression.
variational random features to learn a data-driven kernel for each task.
arXiv Detail & Related papers (2021-07-12T22:09:30Z) - Adversarial EXEmples: A Survey and Experimental Evaluation of Practical
Attacks on Machine Learning for Windows Malware Detection [67.53296659361598]
adversarial EXEmples can bypass machine learning-based detection by perturbing relatively few input bytes.
We develop a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks.
These attacks, named Full DOS, Extend and Shift, inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section.
arXiv Detail & Related papers (2020-08-17T07:16:57Z) - DMV: Visual Object Tracking via Part-level Dense Memory and Voting-based
Retrieval [61.366644088881735]
We propose a novel memory-based tracker via part-level dense memory and voting-based retrieval, called DMV.
We also propose a novel voting mechanism for the memory reading to filter out unreliable information in the memory.
arXiv Detail & Related papers (2020-03-20T10:05:30Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.