Random Access Memory Forensics Methodology for Investigating Cryptocurrency Protocols (Record no. 8868)
[ view plain ]
| 000 -LEADER | |
|---|---|
| fixed length control field | 10544nam a22002537a 4500 |
| 008 - FIXED-LENGTH DATA ELEMENTS--GENERAL INFORMATION | |
| fixed length control field | 210125b2019 a|||f mb|| 00| 0 eng d |
| 040 ## - CATALOGING SOURCE | |
| Original cataloging agency | EG-CaNU |
| Transcribing agency | EG-CaNU |
| 041 0# - Language Code | |
| Language code of text | eng |
| Language code of abstract | eng |
| 082 ## - DEWEY DECIMAL CLASSIFICATION NUMBER | |
| Classification number | 658 |
| 100 0# - MAIN ENTRY--PERSONAL NAME | |
| Personal name | Shaimaa Sherif Ali |
| 245 1# - TITLE STATEMENT | |
| Title | Random Access Memory Forensics Methodology for Investigating Cryptocurrency Protocols |
| Statement of responsibility, etc. | Shaimaa Sherif Ali |
| 260 ## - PUBLICATION, DISTRIBUTION, ETC. | |
| Date of publication, distribution, etc. | 2019 |
| 300 ## - PHYSICAL DESCRIPTION | |
| Extent | 101 p. |
| Other physical details | ill. |
| Dimensions | 21 cm. |
| 500 ## - GENERAL NOTE | |
| Materials specified | Supervisor: Nashwa Abd El-Baki |
| 502 ## - Dissertation Note | |
| Dissertation type | Thesis (M.A.)—Nile University, Egypt, 2019 . |
| 504 ## - Bibliography | |
| Bibliography | "Includes bibliographical references" |
| 505 0# - Contents | |
| Formatted contents note | Contents:<br/>Abstract ..................................................................................................................... xix<br/>Chapter 1: Memory Forensics Fundamentals .............................................................. 1<br/>1.1 Digital Forensics Discipline ...................................................................................... 1<br/>1.2 Malware Analysis Discipline .................................................................................... 2<br/>1.3 Memory Page Tables in Brief ................................................................................... 2<br/>1.4 The Process Object in Windows Memory................................................................ 3<br/>1.4.1 Windows Portable Executable (PE) Format ...................................................... 4<br/>1.4.2 _EPROCESS Structure in Brief ........................................................................... 6<br/>Chapter 2: Literature Review for Cryptocurrency Protocols ....................................... 9<br/>2.1 Bitcoin Protocol ....................................................................................................... 9<br/>2.1.1 Technical Review and Cryptographic Techniques Used. .................................. 9<br/>2.1.2 Messages of Bitcoin Protocol ......................................................................... 10<br/>2.1.3 Bitcoin Digital Forensics .................................................................................. 14<br/>2.2 CryptoNote Protocol .............................................................................................. 16<br/>2.2.1 Historical Review and Cryptographic Techniques Used. ................................ 16<br/>2.2.2 CryptoNote Terminology ................................................................................ 17<br/>2.2.3 RPC Calls of CryptoNote Protocol ................................................................... 18<br/>2.2.4 Monero Digital Forensics ................................................................................ 19<br/>x<br/>2.3 Stratum Mining Protocol ....................................................................................... 20<br/>2.3.1 RPC Calls of Stratum Protocol ......................................................................... 20<br/>2.3.2 The Role of Stratum Protocol in Drive-by Mining Attack ............................... 22<br/>Chapter 3: Case Study Construction .......................................................................... 23<br/>3.1 Virtualization Tools ................................................................................................ 23<br/>3.2 Memory Capture Tool: WinPMEM ........................................................................ 23<br/>3.2.1 Prerequisites before Memory Capture ........................................................... 24<br/>3.2.2 Procedure to Capture Physical Memory Image .............................................. 24<br/>3.3 Digital Forensics Tool: Volatility ............................................................................ 24<br/>3.3.1 The Four Main Categorized Volatility Plugins ................................................. 25<br/>3.3.2 Installation of Volatility Framework ............................................................... 27<br/>3.3.3 Writing a New Plugin ...................................................................................... 27<br/>Chapter 4: Proposed Methodology ............................................................................ 29<br/>4.1 The Proposed Methodology in a Flowchart Diagram ............................................ 29<br/>4.2 The Pseudo Code for Proposed Methodology ...................................................... 33<br/>4.3 Structure of The Developed Plugin ........................................................................ 34<br/>4.3.1 Calculate Function .......................................................................................... 34<br/>4.3.2 Render Function ............................................................................................. 34<br/>4.4 Revealing Version of Wallet................................................................................... 35<br/>4.5 Execution of The Developed Plugin ....................................................................... 36<br/>4.6 How Forensics Artifacts Extracted? ....................................................................... 36<br/>4.7 Case Studies Map .................................................................................................. 36<br/>4.8 Details of Developing a Volatility Plugin .......................................................... 38<br/>4.8.1 How Many Readable Memory Pages Exist in The Target Process? ................ 38<br/>4.8.2 How One Memory Page Looks Like? .............................................................. 40<br/>4.8.3 How to Manipulate The Raw Data Content of a Memory Page? ................... 40<br/>4.8.4 How to Search a Signature in a Python String? .............................................. 41<br/>4.8.5 How to Validate our Parsing for Memory Page Contents? ............................ 44<br/>4.8.6 Summary for Volatility Classes/Functions Used in The Developed Plugins ... 45<br/>4.8.7 Summary for Python Modules Used in The Developed Volatility Plugins ...... 46<br/>xi<br/>Chapter 5: Results of Case-Study One ...................................................................... 47<br/>5.1 Bitcoin Core Results ............................................................................................. 47<br/>5.1.1 Artifacts Regarding Other Nodes in Bitcoin P2P Network .............................. 47<br/>5.1.2 Artifacts Regarding Transactions .................................................................... 48<br/>5.1.3 Revealing Version of Bitcoin Core Wallet ....................................................... 50<br/>5.2 Monero Results...................................................................................................... 51<br/>5.2.1 Artifacts Regarding Synchronizing Monero Wallet with The Network .......... 51<br/>5.2.2 Artifacts Regarding Peers in Monero P2P Network ....................................... 52<br/>5.2.3 Artifacts Regarding Blocks and Transactions .................................................. 52<br/>5.3 A Comparison of The Methodology Proposed Against Past RAM Forensics ......... 55<br/>5.3.1 Revealing Bitcoin Cryptocurrency Artifacts Comparison ................................ 56<br/>5.3.2 Revealing Network Artifacts Comparison ....................................................... 56<br/>Chapter 6: Results of Case-Study Two ...................................................................... 59<br/>6.1 Revealing Login Identity of The Malicious Author ................................................. 59<br/>6.2 Artifacts Regarding Malicious Pools and Ways to Communicate .......................... 63<br/>6.3 Artifacts Regarding Mining Parameters. ............................................................... 64<br/>Chapter 7: Conclusion and Future Work ................................................................... 67<br/>7.1 Contributions and Findings .................................................................................... 67<br/>7.2 Future work ........................................................................................................... 68<br/>Appendix .................................................................................................................... 69<br/>Addr.py plugin ............................................................................................................. 69<br/>_EPROCESS Members .................................................................................................. 70<br/>References .................................................................................................................. |
| 520 3# - Abstract | |
| Abstract | Abstract:<br/>The growing market of cryptocurrencies and subsequently cyber-attacks involving them raises the importance of Digital Forensics in this domain. Ransomwares demand redemption in Bitcoin currency. Mining malwares exhaust processing power of infected computers to mine different types of cryptocurrencies without user permission.<br/>Many forensics researches explain cryptocurrency in terms of found addresses and wallet files/folders, without paying attention to the underlying cryptographic protocols. Our proposed algorithm covers this gap. This research aims at creating a volatile memory parser for Bitcoin and CryptoNote network protocols and Stratum mining protocol. Our parser reveals digital forensics information and correlates it to the corresponding cryptocurrency community.<br/>The proposed digital forensics methodology extracts digital evidence and forensic artifacts from system memory to assist investigations involving cryptocurrency. In addition, case studies are presented to explain the proposed methodology using our developed Volatility plugins. Each protocol’s documentation is examined to select methods helpful to retrieve information that serves into Digital Forensics discipline.<br/>The cryptocurrency memory forensics investigation methodology extracts a series of forensically valuable cryptocurrency protocols’ methods/calls. Case studies are classified into legitimate and malicious processes .The first case study involves analyzing two legitimate processes working under two cryptocurrency network protocols: Bitcoin and CryptoNote. The second case study analyzes three different malicious Monero mining processes. The mining protocol in the second case study with malware processes is Stratum.<br/>Currency transactions and revealing malicious identity are the key findings of the case studies. Other findings are listed in the results chapters. |
| 546 ## - Language Note | |
| Language Note | Text in English, abstracts in English. |
| 650 #4 - Subject | |
| Subject | Information Security |
| 655 #7 - Index Term-Genre/Form | |
| Source of term | NULIB |
| focus term | Dissertation, Academic |
| 690 ## - Subject | |
| School | Information Security |
| 942 ## - ADDED ENTRY ELEMENTS (KOHA) | |
| Source of classification or shelving scheme | Dewey Decimal Classification |
| Koha item type | Thesis |
| 650 #4 - Subject | |
| -- | 294 |
| 655 #7 - Index Term-Genre/Form | |
| -- | 187 |
| 690 ## - Subject | |
| -- | 294 |
| Withdrawn status | Lost status | Source of classification or shelving scheme | Damaged status | Not for loan | Home library | Current library | Date acquired | Total Checkouts | Full call number | Date last seen | Price effective from | Koha item type |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Dewey Decimal Classification | Not For Loan | Main library | Main library | 01/25/2021 | 658 / S.S.R / 2019 | 01/25/2021 | 01/25/2021 | Thesis |