Correlating processes for automatic memory evidence analysis

Nowadays in order to process and store many kinds of multimedia data, the storage capability of memory has grown greatly. Moreover the widespread use of mobile devices and cloud computing has made criminal investigators often face a lot of memory dumps. They have to deal with a large quantity of memory data and complex OS data structures which they have little knowledge of. How to analyze memory evidence automatically in order to find hidden criminal behavior and reconstruct the criminal scenario in an understandable way has become an important problem. Current memory analysis methods usually aim at recovering certain data structures. The illegal behavior identification and the event reconstruction are still completed manually by investigators. This paper presents a novel method to correlate processes for automatic memory evidence analysis. Through analyzing key OS data structures and utilizing a clustering algorithm, it can discover the relationships among processes. And by describing these relationships as correlation graphs, our method can display evidence in a high semantic level. Some experiments have proved that these correlation graphs can help investigators find hidden criminal behavior and reconstruct the criminal scenarios.