TUM Logo

Katana: Robust, Automated, Binary-Only Forensic Analysis of Linux Memory Snapshots

The development and research of tools for forensically analyzing Linux memory snapshots have stalled in recent years as they cannot deal with the high degree of configurability and fail to handle security advances like structure layout randomization. Existing tools such as Volatility and Rekall require a pre-generated profile of the operating system, which is not always available, and can be invalidated by the smallest source code or configuration changes in the kernel. In this paper, we create a reference model of the control and data flow of selected representative Linux kernels. Using this model, ABI properties, and Linux's own runtime information, we apply a configuration- and instruction-set-agnostic structural matching between the reference model and the loaded kernel to obtain enough information to drive all practically relevant forensic analyses. We implemented our approach in Katana, and evaluated it against Volatility. Katana is superior where no perfect profile information is available. Furthermore, we show correct functionality on an extensive set of 85 kernels with different configurations and 45 realistic snapshots taken while executing popular Linux distributions or recent versions of Android from version 8.1 to 11. Our approach translates to other CPU architectures in the Internet-of-Things (IoT) device domain such as MIPS and ARM64 as we show by analyzing a TP-Link router and a smart camera. We also successfully generalize to modified Linux kernels such as Android.

Katana: Robust, Automated, Binary-Only Forensic Analysis of Linux Memory Snapshots

Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses

Authors: Fabian Franzen, Tobias Holl, Manuel Andreas, Julian Kirsch, and Jens Grossklags
Year/month: 2022/10
Booktitle: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses
Pages: 214--231
Fulltext: click here

Abstract

The development and research of tools for forensically analyzing Linux memory snapshots have stalled in recent years as they cannot deal with the high degree of configurability and fail to handle security advances like structure layout randomization. Existing tools such as Volatility and Rekall require a pre-generated profile of the operating system, which is not always available, and can be invalidated by the smallest source code or configuration changes in the kernel. In this paper, we create a reference model of the control and data flow of selected representative Linux kernels. Using this model, ABI properties, and Linux's own runtime information, we apply a configuration- and instruction-set-agnostic structural matching between the reference model and the loaded kernel to obtain enough information to drive all practically relevant forensic analyses. We implemented our approach in Katana, and evaluated it against Volatility. Katana is superior where no perfect profile information is available. Furthermore, we show correct functionality on an extensive set of 85 kernels with different configurations and 45 realistic snapshots taken while executing popular Linux distributions or recent versions of Android from version 8.1 to 11. Our approach translates to other CPU architectures in the Internet-of-Things (IoT) device domain such as MIPS and ARM64 as we show by analyzing a TP-Link router and a smart camera. We also successfully generalize to modified Linux kernels such as Android.

Bibtex:

@inproceedings {
author = { Fabian Franzen and Tobias Holl and Manuel Andreas and Julian Kirsch and Jens Grossklags},
title = { Katana: Robust, Automated, Binary-Only Forensic Analysis of Linux Memory Snapshots },
year = { 2022 },
month = { October },
booktitle = { Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses },
pages = { 214--231 },
url = { https://www.cs.cit.tum.de/fileadmin/w00cfj/ct/papers/2022-RAID-Franzen.pdf },

}