Professional Documents
Culture Documents
Live Forensics of Software Attacks On Cyber Physical Systems
Live Forensics of Software Attacks On Cyber Physical Systems
PII: S0167-739X(17)33053-4
DOI: https://doi.org/10.1016/j.future.2018.07.028
Reference: FUTURE 4346
Please cite this article as: Z.A. Al-Sharif, M.I. Al-Saleh, L.M. Alawneh, Y.I. Jararweh, B. Gupta,
Live forensics of software attacks on cyber physical systems, Future Generation Computer Systems
(2018), https://doi.org/10.1016/j.future.2018.07.028
This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to
our customers we are providing this early version of the manuscript. The manuscript will undergo
copyediting, typesetting, and review of the resulting proof before it is published in its final form.
Please note that during the production process errors may be discovered which could affect the
content, and all legal disclaimers that apply to the journal pertain.
Noname manuscript No.
(will be inserted by the editor)
then characterizing the possible values of various vari- Our results show that regardless of whether the pro-
ables that ought to be scattered over different RAM gram is running, the JVM is active or just stopped, the
pages. Obviously, the use of object oriented programs DI can employ knowledge from the presumed program’s
increases the complexity of execution states, evidenced source code such as static and instance level variables
in part by the difficulty of its software testing pro- and their potential values in order to confirm the ac-
cess [8]. Software variables of an OOP can be catego- tual usage of the software; based on identifying these
rized based on their scopes, access modifiers, and exe- values in corresponding RAM dumps. Hence, some val-
cution lifetimes. A variable’s scope and its access mod- ues of local variables are not expected to be success-
ifier determine the visibility of a variable and where fully located when their corresponding stack frames are
it can be accessed within the program’s source code. not active, though most of which are successfully iden-
Hence, a variable’s storage, which is defined by the tified. Additionally, values of static variables and lo-
memory type such as stack and heap, determines the cal variables of static methods are often found to have
duration in which its value is allocated and released [9]. longer duration in memory than the instance related
On the other hand, variables can be classified based values. Furthermore, in most cases, dynamically allo-
on whether they are allowed to be changed during ex- cated values are identified in RAM dumps even after
ecution and how these changes are visible within var- the Garbage Collector (GC) is explicitly invoked or
ious parts of the program’s source code. For example, even after the program is terminated. A comprehensive
in Java, the program do not change variables’ values comparison between our findings during various possi-
that are marked with f inal once they are assigned, ble scenarios and variable states are ascertained on all
such variables are often initialized with literal values. investigated platforms.
These literals might be unique to the executable pro- The rest of this paper is organized as follows. Sec-
gram and its execution state. Moreover, many other tion 2 presents a deeper look at CPS systems, in which
non-constant variables might be assigned with literal our research motivations are presented and the needed
values too. When these literals are unique to the pre- security measurements are highlighted. Section 3 re-
sumed program’s source code and some of its execu- views some of the background knowledge used in this
tion paths, then retaining these values in RAM can be paper. Section 4 presents our investigation model and
used to establish the Digital Evidences (DE), define the explains how it employs information available in the
actual software usage and assert its distinct execution program’s source code to confirm that the program is
path. actually used in the attack. Section 5 describes our
Common DF tools and techniques are not designed experiments whereas our results are presented in Sec-
and developed to stop an attack, but to identify the tion 6. Section 7 presents our related work. Finally, our
source of an incident, determine its type, preserve the planned future work is presented in Section 8 whereas
DE, and analyze the findings [10]. This paper focuses on Section 9 concludes our findings.
the Memory Forensics (MF) of the Java-based software
usage. It identifies various DE that would be employed
2 CPS Systems: New Usage & Security Needs
to confirm the software usage and its association with
the crime. The research methodology presented in this
The idea of Cyber Physical Processes (CPP) is not new.
paper is relying solely on mining the core dumps of
The term embedded systems is used, long before CPS,
the physical memory of the host machine and assuming
to describe engineered systems that combine physical
no information is available from the Operating System
parts of a system with a software that is built into it.
(OS) or the used Java Virtual Machine (JVM).
Recently, this term is modernized to include the ap-
In order to verify our approach, various experiments plications that are parts of aircrafts, autonomous cars,
and scenarios are established, for each of which a RAM home appliances, weapons, robots, and more [11]. Hence,
dump is created and analyzed. During the analysis pro- when such systems are closed boxes that do not expose
cess, various variables’ scopes and memory types are as- their computing capabilities to the outside world, they
sumed. Our experiments are designed to establish the are isolated and then protected from the perpetrators.
DE between source code related values that obtained
from the execution states of a running Java program
and compare these DE when the internal implementa- 2.1 Motivation
tion of the used JVM is different. JVMs that are run-
ning on all of MS Windows, Mac OS X, and Fedora Networking CPS systems is mandated by the new usage
Linux are investigated and the obtained DE are com- scenarios that are inspired by the various recent tech-
pared between similar scenarios. nological advances. For example, the ongoing increase
Live Forensics of Software Attacks on Cyber Physical Systems 3
in the number of physical things such as sensors, actua- which demands the evolving of security measurements
tors, smart phones, tablets, gaming consoles, traditional including the DF and MF capacities that would facili-
desktop and laptop computers, along with the explosive tate the ability to digitally detect and identify perpetra-
increase in the usage of online networking services and tors in order to apprehend them and stop their criminal
applications, all of this motivates the development and acts.
the use of new CPS systems [12]. This paper targets perpetrators who use software to
Therefore, this generates an emerging need to widen organize their attacks on various CPS systems. It tar-
the CPS definition to include into consideration the gets attackers who use software that are written in the
environment, which incorporates the different types of Java programming language that is famous in its de-
computing devices including the Internet of Things (IoT) sign goal of write-once, run-anywhere [36], which makes
[13], which will conclusively combine daily used things it one of the mostly used programming languages [37].
of computers, devices, appliances, and machines that Our goal is to forensically experiment with different im-
are connected to the Internet [14, 15]. The utilization of plementations of JVM and to compare the execution
these systems encouraged new services and applications footprints of the same program on different platforms,
and revolutionized our world in different fields through these comparisons are made from the MF perspective
their tight interactions and automated decisions. All and the DI point of view. Our aim is to investigate the
this is envisioned to be facilitated by the new genera- differences in program’s execution traces in RAM and
tion of the 5G technologies that will be able to expand its utilization in MF cases and the DE collection and
the interoperability between this diverse of devices and establishing process. Even though Java is the target of
applications [16–21]. our experimentation, we expect most of our findings to
Moreover, the movement from cloud based to fog be significantly pertinent to similar programming lan-
based computing or edge computing [22, 23], in which guages and execution environments.
the application logic including storages and analytics
are placed on the actual device instead of a centric
server. This serves better the heterogeneous commu- 3 Background
nication network, but opens the door for vulnerabilities
and endangers security [24, 25]. Though, CPS foren- A software process may employ various variables. In
sic studies can benefit from the diverse literature in OOP languages such as Java, these variables can be
the field of digital forensic science, which refers to the classified into class level and method level. Class level
mathematical, statistical, and computer science meth- variables can be further categorized into instance and
ods that are employed in order to collect, identify, ana- static. Most of the time, a variable’s type defines the
lyze, and interpret digital evidences [26]. Thus, digital duration of its value in RAM. For example, the values
forensics would ensure the ability to identify, collect, of static variables are allocated by the runtime system
and analyze malicious sources from involved nodes and before instances (objects) are created. These variables
infrastructures and help react to criminals’ attacks. might be initialized with default values whenever they
are not explicitly initialized by the programmer. How-
ever, unlike instance variables, the duration of static
2.2 Security Threat variables does not depend on the objects created from
that class. Furthermore, static values are shared by all
The technological advances will keep equipping our world objects. Instance variables’ duration in RAM is lim-
with new CPS systems that will keep formulating new ited to the exact object instantiated from that class;
usage scenarios. Therefore, such a large scale would each object has its own set of values. Moreover, local
make it nearly impossible to guarantee security for ev- variables (method level) are allocated on the stack and
ery single subsystem, unless new and innovative secu- their visibility is limited to the correspondent method
rity measurements are implemented [27–33]. or code block, in which they are initially defined.
For example, in this wide definition of CPS systems,
the security and privacy issues are not fully defined.
Additionally, issues relating to the confidentiality, in- 3.1 OS Support
tegrity, and availability are not fully described [34].
Nonetheless, this opens a considerable threat that would Typically, software processes are served by their host
shake the level of our trust and dependability on such OS, each of which provides services to the programs
systems [35]. Thus, prominence and superiority in such that it runs. For example, in a UNIX based system,
a future world that is filled with CPS systems will de- when the Kernel executes a C program, a special rou-
pend on the success on a variety of directions, one of tine, which is known as the startup routine, is automat-
4 Ziad A. Al-Sharif* et al.
4 Investigation Model
– Derived class virtual method usage; i.e. the over- D: Instance base class level variables (object level
ridden virtual method is used versus when such a variables)
method is never used V10 : Public instance base class level variables
– Derived class new method usage; i.e. the newly in- V11 : Protected instance base class level variables
troduced derived class method is used versus when V12 : Private instance base class level variables
it is never used E: Locals of an active instance base class method
– Object usage; i.e. the created object is still refer- (object level methods)
enced and alive versus when it is not referenced any- V13 : Local variables in a public currently active
more and the GC is explicitly invoked instance base class method
– Program status; i.e. the used program is still run- V14 : Local variables in a protected currently ac-
ning versus when it is terminated or even the JVM tive instance base class method
is shutdown V15 : Local variables in a private currently active
instance base class method
The above considerations are used to investigate the
F: Locals of a never been active instance base class
duration of various variables’ values and their impact by
method (object level methods)
the used execution scenario, each of which are described
V16 : Local variables in a public but never active
in the following two subsections.
instance base class method
V17 : Local variables in a protected but never ac-
5.2 Investigated Variables tive instance base class method
V18 : Local variables in a private but never active
During our validation process, a set of experimental instance base class method
steps are designed with the aim at exposing the evi- G: Instance derived class level variables (object level
dence related to the execution state based on informa- variables)
tion and variables’ values from the program’s source V19 : Public instance derived class level variables
code. A total of 26 different variables’ types (V1 to V26 ) V20 : Protected instance derived class level vari-
are defined and experiments are established to inspect ables
the durations of their potential values in corresponding V21 : private instance derived class level variables
RAM dumps that are captured during various execu- H: Locals of an overridden virtual method (base
tion scenarios. These variables are categorized based on class methods)
their utilization and usage objectives into ten different V22 : Local variables in an overridden virtual method
types, each of which is marked with a letter f rom A to J that is never used
and described below: V23 : Local variables in an overridden base class
virtual method that its override is currently ac-
A: Static base class level variables (class level vari-
tive
ables)
I: Locals of an overridden virtual method (derived
V1 : Public static base class level variables
class methods)
V2 : Protected static base class level variables
V24 : Local variables in an override of a derived
V3 : Private static base class level variables
class virtual method that is never used
B: Locals of an active static base class method (class
V25 : Local variables in an override of a derived
level methods)
class virtual method that is currently active
V4 : Local variables in a public currently active
J: Locals of a newly introduced method (derived
static base class method
class methods)
V5 : Local variables in a protected currently ac-
V26 : Local variables in new derived level class
tive static base class method
method that is currently active
V6 : Local variables in a private currently active
static base class method We start our experimentation steps by preparing a
C: Locals of a never been active static base class Java program and predefine a set of various execution
method (class level methods) states and paths that can be assumed during the exe-
V7 : Local variables in a public but never active cution of this subject program. These execution states
static base class method are used to identify the capturing points of the cor-
V8 : Local variables in a protected but never ac- responding RAM dumps, each of which are analyzed
tive static base class method and the results are compared to investigate the physi-
V9 : Local variables in a private but never active cal memory behavior of this Java program that runs on
static base class method each of MS Windows, Mac OS X, and Fedora Linux;
Live Forensics of Software Attacks on Cyber Physical Systems 7
Fig. 5: The used string literals. It shows the length of Fig. 6: The size of the striped down memory dumps.
these 26 (V1 to V26 ) potential string values that are used It shows the size of each memory dump during each
during our experimentation. execution scenario (Si ) on each of the three expected
platforms.
Table 1: The size in MB for the striped down RAM dumps during the 21 different execution states for all of
Windows, Mac OS X, and Fedora Linux. (i) represents the striped down memory dumps using the UTF8 encoding
format, whereas the (ii) represents the size of the striped down memory dumps using the UTF16 encoding format.
Algorithm 1 Find & Match: Evidence Identification our knowledge of the source code of the used program,
Takes a set of potential values from the assumed pro- we extracted all literal values from the source code of
gram states and tries to locate them within a set of the investigated program and formatted them in both
RAM dumps from the execution scenarios. UTF8 and UTF16. Then, both of these encoded literals
1: Input 1: V alSet: A set of potential variables’ values are located and their number of occurrences are identi-
2: Input 2: DumpSet: A Set of captured memory dumps fied in the target memory dump. Algorithm 1 is applied
3: Result: # Occurrences of (Vj ∈ V alSeti ) In Dumpi on the set of memory dumps presented in each column
4: for each Scenarioi do
5: for each Dumpi ∈ Scenarioi do of Table 1, in which a cell represents the size of the pre-
6: for each V alj ∈ V alSeti do processed RAM dump that is captured during scenario
7: . Find all occurrences of V alj in Dumpi (Si ) on one of the used platforms. Table 1 shows the
8: if V alj is found in Dumpj then sizes of these striped down memory dumps using UTF8
9: Add V alj to F ound V ars. In RAM Dumpi ;
10: end if and UTF16 from all three platforms. It is clear that the
11: end for use of this strings command reduced the search space
12: end for from 2GB to less than 130M B and 245M B on both
13: end for Windows and Mac OS X, respectively. It also reduced
the size of the memory dump from 1GB to less than
65M B on Linux machines. Figure 6 presents a compar-
of the RAM dump 3 . By default, this command looks ison for these striped down memory dumps during each
for sequences of at least 4 printable characters that are execution scenario (Si ) and for each of the investigated
terminated by a null character, other options can be platforms.
used to collect characters in other encoding formats.
For example, the “ − el” option can be used to extract Algorithm 1 employs a simple string search algo-
only strings that are encoded using the 16-bit little en- rithm to locate the potential variables’ values and their
dian (UTF16 or Unicode). number of occurrences during each scenario on a spe-
Thus, we applied this command on each memory cific platform. Timewise, this algorithm is used to spend
dump twice, once with the default settings and the more than one hour to locate the values and their occur-
other with the “ − el” option. Additionally, based on rences when it is applied on a set of raw RAM dumps;
the unprocessed memory dumps. Whereas, applying the
3
GNU Binary Utilities, https://sourceware.org/ same algorithm on the set of memory dumps that are
binutils/docs-2.29/binutils/strings.html preprocessed using the strings command drastically re-
10 Ziad A. Al-Sharif* et al.
duces the search time. Figure 7 presents a time based used on all platforms. Additionally, more occurrences
comparison that compares between the search time in are successfully identified using the UTF8 format than
seconds that is spent during identifying the DE in each it is successfully identified using the UTF16 format; this
of the investigated platforms. The longest time is a bit is true for all platforms as well. Moreover, each part of
more than 600 seconds that is needed to analyze the Figure 8 are labeled with a letter from A to J. The sub-
Mac OS X related RAM dumps (UTF8 based), which columns in each labeled major column are almost iden-
is the largest set of dumps in size. tical during the same execution state (S1 to S21 ), this
Additionally, even though all these literal values ap- is only valid within the same platform. This means, the
peared only once in the original program’s source code, member access modifiers (public, protected, and pri-
surprisingly enough, often their occurrences in the cor- vate) do not affect the frequency and the availability of
responding memory dump are identified on more than the occurrences for these values in RAM.
one location. In some scenarios, the number of occur-
rences reached 7 or 8 times; especially when they are
6.1 Literal Values in Source Code (UTF8)
located using the UTF8. However, the number of occur-
rences goes down dramatically when they are located
Java String type including string literals are objects
using the UTF16. More results are presented in Sec-
not arrays of bytes. Thus, objects are created in heap;
tion 6.
String instances and source code literals are no ex-
ception. In particular, Figures 8a, 8c, and 8e show the
6 Results heatmaps of our findings of the source code related val-
ues (UTF8) in the RAM of the Windows, Mac, and
All captured memory dumps are analyzed and a com- Linux machines, respectively. These heatmaps present
parison is made between the findings of Java based the number of occurrences for each literal value that are
source code related values from the program execution assigned to a variable in the source code; 26 unique val-
states in corresponding RAM dumps that are captured ues are used, each of which is assigned to one variable
during various scenarios. These findings are compared only (V1 to V26 ).
on each of the investigated platforms; same program Even though one unique value is used for each vari-
and execution scenario but different implementations able, unexpectedly, during various execution scenarios
of the JVM that are hosted on different platforms. or states (S1 to S21 ), these figures show that the same
In particular, a comparison is made, from the MF variable value, which only occurred once in the source
point of view, between the memory behavior of a Java code related variable, often has more occurrences than
program and how it differs in its memory footprint once in the captured RAM dumps of Windows, Mac,
when it runs on either of Windows, Mac OS X, and Fe- and Linux machines. Furthermore, the number of oc-
dora Linux. Figure 8 presents a combined heatmap for currences on the Windows machine are more than those
the collected DE of the same program on all platforms. occurrences on either of Mac or Linux machines. For
Parts of Figure 8 show the individual sub-heatmap for example, the maximum number of occurrences for vari-
the number of occurrences from each experiment, on ables in column A of Figure 8a of the Windows machine
each platform and for each execution state; including is 6 whereas the maximum number of occurrences from
the value of each variable in that state, its internal en- the same column on Mac (Figure 8c) or Linux (Fig-
coding format, and the number of occurrences of its ure 8e) is 4. Hence, this difference is almost repeated in
value in RAM. Heatmap colors go from the darkest all columns between the Windows machine on one side
green shade into a complete white; the darker shade and the Mac and Linux machines on the other side. Fur-
of green cells indicates an increase in the frequency of thermore, it is highly noticeable that the results from
the found values compared to the completely not found Mac and Linux machines are almost identical in the
values in the white cells. Figures 8a and 8b represent the number of occurrences for each of these variables (V1
occurrences of these values in the RAM of the Windows to V26 ) and during each of the corresponding states (S1
machine. Figures 8c and 8d represent the occurrences of to S21 ).
these values in the RAM of the Mac machine. Finally, Additionally, looking at parts of Figure 8 from the
Figures 8e and 8f represent the occurrences of these perspective of the MI, it is clear that in all used plat-
values in the RAM of the Fedora 26 Linux machine. forms the investigators have a good chance locating the
Furthermore, Figure 8 shows that the number of values of these literals that are obtained from the pro-
identified occurrences on the Windows machine is more gram source code in the execution states that are cap-
than in the Mac or Linux machines; taking into con- tured in corresponding RAM dumps, even after the GC
sideration that the same program and JVM version is is explicitly invoked, the program is terminated, or even
Live Forensics of Software Attacks on Cyber Physical Systems 11
(c) Mac OS X (El Capitan): UTF8 (d) Mac OS X (El Capitan): UTF16
Fig. 8: Experimentation results on all of Windows, Mac, and Fedora Linux; all experiments are performed using
the same program, same version of the JVM (64-bit of JVM 1.8), and the 64-bit of the host platform. Parts (a)
& (b) compares between UTF8 and UTF16 on Windows 10 Pro. Parts (c) & (d) compares between UTF8 and
UTF16 on Mac OS X 10.11.6. Finally, Parts (e) & (f) compares between UTF8 and UTF16 on Fedora 26 (Linux
64-bit). Shaded cells in all figures represent the heatmap for the number of occurrences on all platforms and in
both UTF8 and UTF16; the darker the shade the higher the frequency of the found object. It is clear that UTF8
is better than UTF16 and Windows is better than Linux from the MI point of view.
12 Ziad A. Al-Sharif* et al.
after the host JVM is shutdown. However, the number still occurrences for these values in RAM even after the
of occurrence might go down. For example, during our program is terminated (S21 ) and the JVM is shutdown.
experiments of the Windows machine, the number of However, local values of static methods, which are
occurrences went down from 7 or 6 when the JVM was not used, is never found in any of the execution states
running to 2 occurrences after the JVM is shutdown. that are captured from either Mac or Linux machines;
Thus, these occurrences can go down from 5 or 4 to 2 see column C of Figures 8d and 8f. On the contrary, on
on Mac and Linux. Though, it is still a good chance for the Windows machine, occurrences for local values of
the MI; remembering that each of these values occurred static methods that are never used appeared only once
only once in the original program source code. in RAM dumps after state S8 , which represents: an ob-
ject is allocated and an instance-based member variable
of that object is used (read). See column C of Figure 8b.
6.2 Literal Values During the Execution (UTF16) Remembering that these values belong to static meth-
ods and these methods are never used, not from the
In Java, the internal representation of the literal strings
class nor in the object, it is a valuable consideration for
used during the execution (program run) are based on
the MI on Windows machines.
the UTF16 encoding format. This means that identi-
Finally, the number of occurrences for these sub-
fying these values in RAM dumps that are captured
columns under the major columns that are labeled with
during the execution of the running program can help
A, B and C are almost identical for the same execu-
the investigator collect more links to evidence the actual
tion states. This means, once again, the member access
software usage by the perpetrator. Thus, the captured
modifier (public, protected, and private) does not affect
RAM dumps are preprocessed using the UNIX based
their number of occurrences.
strings command with the −el option to extract only
the UTF16 strings from the binary of the corresponding
RAMs. Then, literal values that are extracted from the 6.2.2 Instance Based Members (Super Class)
original program source code are located in these cor-
responding preprocessed RAM dumps and their num- This category represents instance based variables and
ber of occurrences are identified. The following three locals of instance methods. Looking at columns labeled
subsections present our results for all investigated vari- with D, E, and F of Figures 8b, 8d and 8f. These
ables’ values and during all of the execution scenarios; columns present occurrences of the variables’ values
on all of Windows, Mac, and Linux machines. that are related to the instance (object) that is cre-
ated from the base class. Figure 8b presents a heatmap
6.2.1 Class Based Members for the occurrences of the identified values in the RAM
dump of a Windows machine, whereas Figures 8d and 8f
This category represents class level static variables and present a heatmap for the number of occurrences for the
the locals of static methods. Looking at Figures 8b, 8d identified values in the RAM of both Mac and Linux
and 8f, each of which represents the heatmap with machines, respectively. Column D shows that occur-
the number of occurrences for the corresponding vari- rences start showing valuable identification in corre-
ables (columns), in each of the associated states (rows), sponding RAM dumps after state S7 on all of Win-
on all of Windows, Mac, and Linux machines; respec- dows, Mac, and Linux. Column D represents the class
tively. It is clear that columns labeled with A and B level instance variables in three access modifiers (V10 :
present better occurrences across all states except S1 public, V11 : protected, and V12 : private). However, col-
and S2 . Remembering that S1 represents the class is umn E shows the occurrences of local values in an active
not referenced yet whereas S2 represents the class is instance level method, whereas column F shows the oc-
referenced but the method is not used yet. This means, currences of these literal values of the local variables in
the values of static variables and those of local vari- a never active method. Column E starts showing valu-
ables of static methods will not be available in RAM able forensic usage after state S7 on Windows machines
until the class is used; referenced during the execution. and after state S9 on both Mac and Linux machines.
However, these values will remain in memory long after Column F starts showing valuable forensic usage after
their usage time. Additionally, the local references in state S7 on Windows machines, but its values are never
static methods will not be available in RAM until their found on both Mac and Linux machines.
corresponding method is used. Hence, these values will Interestingly enough, results from the execution foot-
stay in RAM for a longer duration than the time of print in the RAM of both Mac and Linux are different,
their method usage. Looking at column A and B of to some extent, from the corresponding execution foot-
Figures 8b, 8d, and 8f, it is clear to see that there are print of the Windows machine. In particular, column F
Live Forensics of Software Attacks on Cyber Physical Systems 13
(variables: V16 , V17 , and V18 ) that represent the values the RAM of the Windows machine. To find the literal
of local variables in methods that are never active dur- value of these variables on Windows, it is something
ing the program execution, shows that it is unlikely to strange to the behavior of the JVM on of a Windows
find these values in the RAM dumps of the host ma- machine after state S8 . Additionally, V25 and V26 are
chine when it is running on Mac or Linux machines, but found on Windows after state S8 too, but they are un-
it can be found on the corresponding Windows machine likely to be found on a Mac or Linux based machines
during the same states. Additionally, on both Mac and before states S16 and S13 , respectively.
Linux machines, the number of found occurrences in
the lower parts of columns D and E (S19 , S20 , &S21 ) are
better than those corresponding occurrences in states
7 Related Work
before them.
Many researchers are making use of existing forensic
6.2.3 Instance Based Members (Derived Class) research in related areas such as cloud forensics, mobile
forensics, virtualization forensics, and storage forensics
This category includes instance based members of a de- in order to facilitate the forensics of CPS Systems [22,
rived class including local variables of overridden vir- 23, 47]. Others, are focused on the forensics of a par-
tual methods and newly introduced methods. Looking ticular type of CPS systems. For example, Hahn et al.
at columns labeled with G, H, I, and J (V19 to V26 ) evaluated a smart grid security testbed, in which sev-
of Figure 8b. It shows that, on Windows, the investi- eral potential attack scenarios are assumed to explore
gator has a good chance locating variables’ values from the security of the CPS system [48]. Zonouz et al. in-
instances that are created from the derived class right troduced a Security-oriented Cyber-Physical State Es-
after state S8 , which represents an instance variable of timation (SCPSE) in order to detect the malicious ac-
the base class is used. However, this set of variables tivities within the CPS system [49]. Grispos et al. in-
belongs only to the derived class or to the newly intro- tegrates forensics principles, concepts, design and devel-
duced method in the derived class. Hence, on all three opment of the Medical Cyber-Physical Systems (MCPS)
platforms, the only variable that is unlikely to be found in one framework in order to strengthen the investi-
is V22 , which represents a local variable in an overrid- gation capabilities [50]. Eli Sohl et al. studied various
den virtual method that is never used. This is expected forensics tools and techniques that focus on the funda-
because the function is never used during any of the mentals of digital forensics in the electrical power grid.
execution states (S1 to S21 ); considering the dynamic They found that the security of industrial control sys-
binding. tems in the power grid appears to be much less mature
On the contrary, the same Java program behaves than that of the general-purpose computing [51]. Boyer
differently on both Mac and Linux machines. In partic- et al. shows that Supervisory Control And Data Acqui-
ular, variables V19 to V21 , which are derived class level sition (SCADA) system is one of the common monitor-
variables (public, protected, and private, respectively) ing and control systems that can be used in the power
are more likely to be found on UNIX based machines grid [52], it is also used in other industrial infrastruc-
after state S11 , see column G of Figures 8d and 8f. tures such as oil refineries, water treatment facilities,
Remember that S11 represents an instance of the de- and transportation systems. Parry et al. presented a
rived class is allocated. Surprisingly enough, Mac and high-speed network forensics tool specifically designed
Linux machines behave almost the same whereas both for capturing and replaying data traffic dedicated to-
of them behave completely different from the Windows ward special-purpose network interface card that can
machine. For example, the values of V23 and V24 are be found in CPS systems [53]. Taylor et al. reviewed
successfully found after state S8 on the Windows ma- some of the challenges and highlighted the security risks
chine whereas these same variables’ values are unlikely that are needed to be covered to increase the CPS secu-
to be found during any of the investigated execution rity [54]. Giraldo et al. provided a taxonomy that clas-
states (S1 to S21 ) on Mac nor Linux. These results are sifies all of CPS domains, attacks, defenses, research-
highly expected on Mac and Linux, because the values trends, network-security, security level implementation,
of V23 represent a variable in an overridden base class and computational strategies [55].
virtual method that its override is currently active, but On the other hand, many researchers find, in the
not the actual function that has the value. Additionally, RAM memory, a vital source of information that can
the value of V24 represents the value of a local variable be used in support for legal actions against criminals in
in a derived class virtual method that is never used. digital forensics cases [56–65]. For example, Shosha et
However, unexpectedly, these same values are found in al. developed a prototype to detect different malicious
14 Ziad A. Al-Sharif* et al.
programs that are regularly used by criminals. The pro- program’s execution traces are expected to behave dif-
posed approach depends on the deduction of evidences ferently on different platforms for other cross-platform
that are extracted based on traces related to the sus- languages as well. Additionally, Java is a strictly typed
pect program [66]. Ellick et al. introduced ForenScope language, however other languages support dynamic
a RAM forensics tool that permits users to investigate typing such as Visual Basic and the scripting languages
a machine using regular bash-shell. It allows users to such as Python, Icon/Unicon, Ruby and others. Thus,
disable anti-forensic tools and search for potential evi- for future research, it would be highly interesting to
dences. In order to maintain the RAM memory intact, compare our experimental results from this paper with
it is designed to work in the unused memory space of the results from similar experimentations that are based
the target machine [67]. Olajide et al. uses RAM dumps on these dynamically typed languages.
to extract user’s input information from Windows ap-
Additionally, our experimentations are conducted to
plications [68]. Johannes et al. proposed a technique
practically determine the digital forensics process and
to investigate firmware and its major components. He
the technical considerations in regards to the investiga-
proposed a new technique that improves forensics imag-
tions of the allegedly used software during the attack on
ing based on PCI introspection and page table map-
a CPS system. Locating the presumed software on the
ping [69]. Shashidhar et al. targeted the prefetch folder
perpetrator’s machine hard disk might not be a strong
and its potential value to the investigator. This prefetch
digital evidence to establish the actual software usage.
folder is used to speed up the startup time of a program
A definite legal evidence might be needed to prove that
on a Windows Machine [70].
the perpetrator has actually used the software. This pa-
However, this paper utilizes the OOP concepts and
per experimentally established that this evidence can
its potential source code usage in Java in order to iden-
be found in the RAM of the perpetrator’s machine.
tify and validate whether the presumed software is ac-
However, additional research is needed to address the
tually used during the attack on a CPS system.
scalability of these fundamental concepts. In particu-
lar, during our experimentations, we covered only 26
different types of variables that would cover the princi-
8 Discussions and Future Work ples of the Java based OOP variables and their usage
within 21 basic execution scenarios (states). However,
In this paper, in order to facilitate the ability to find in bigger programs, this number of variables’ values and
live evidence about the actual software usage that are potential execution states can easily become much big-
used to organize an attack on a CPS system, experimen- ger than our basic proof of concept used in this pa-
tally we established the approach of utilizing potential per. Thus, an issue with the performance can be easily
variables’ values from the program’s source code and raised in regards to various directions, each of which
their associations with various in RAM program execu- may open the opportunity to new research directions.
tion states to evidence the actual software usage. Based Some of these directions can be summarized at least in
on the possible data-flow and control-flow of the sub- threefold:
ject program, we investigate an object oriented program
First, in a large software, the potential variables’
that is written in Java and experiment with its MF on
values will reach a limit that would require improving
three different platforms; including Windows 10 Pro,
the searching algorithm by various means such as the
Mac OS X, and Fedora 26 (Linux 64-bit). Hence, the
employment of parallel algorithms or the utilization of
same program’s source code is used during all experi-
GPUs. Additionally, RAMs used in our daily used com-
ments, the only difference is the underneath JVM that
puters are getting larger and larger. This implies an is-
encapsulates these differences to accommodate the host
sue with the performance of the evidence identification
platform. Experimental results show that these differ-
algorithm is on the horizon [47].
ent implementations affect the RAM memory footprint
of the used program from the MF point of view. Second, the increase in the number of potential vari-
Nonetheless, theoretically the used programming lan- able states and their values will enlarge the number of
guage (Java) operates in a layer that is distant from the values that are needed to be identified. Additionally,
OS Kernel. Practically, this means that a specific mem- the increase in size of the RAM dumps and the number
ory area that is used to handle program’s execution and of these dumps can grow to become a big data problem,
its runtime storage (i.e. stack and heap) are kept away in which a huge number of potential variables’ values,
from the OS. The GC picks up the unused memory execution states, and memory dumps are needed to be
(garbage), but often this memory will not become im- investigated. Thus, in such a scenario, our approach
mediately available to the OS. Therefore, in RAM blind can benefit from the big data analytics and machine
Live Forensics of Software Attacks on Cyber Physical Systems 15
learning techniques to automatically identify and build comes to memory forensics, data persistence in memory
a legal decision about the actual software usage. is much longer than it is during the execution of the pro-
Third, utilizing various software test cases, whether gram that it takes different execution paths based on its
it is unit testing or system testing, in the process of control-flow and data-flow. Additionally, we found that
identifying the potential variables’ values and their exe- utilizing source code information can be valuable to the
cution states would be very interesting and highly chal- investigator. It helps establish the evidence that the
lenging to the memory investigator. However, a solution perpetrator has actually used the software to perform
can be envisioned by utilizing various machine learn- the crime or to cover the wrongdoing associated with
ing algorithms in order to automate the digital inves- the crime. Various variables’ values and string literals
tigation process. For examples, a research is needed to and non-literals related to the program execution are
investigate the possibility of training various machine successfully identified in RAM dups that are captured
learning algorithms based on these potential test sets during various scenarios and execution states. For ex-
(test suite) in order to automatically predict or identify ample, we found that variable values of static and non-
potential execution states that can be assumed to be static values of a Java program running on a Windows
used by the perpetrators during the attack. This would is better than the other two platforms (Linux and Mac).
advance and speed up the evidence identification pro- Additionally, values of instance variables are likely to
cess. be found on Windows more than on machines that are
Furthermore, our investigation process targets sim- running Mac or Linux.
ple variables’ values, it would be interesting to inves-
tigate similar scenarios for other complex data struc-
tures such as collections and generics. Additionally, it is
References
highly important to investigate various variables’ types
and their impacts on long running programs such as
1. A. Ahmad, A. Paul, M. M. Rathore, and H. Chang,
servers and web services. Moreover, nowadays many
“Smart cyber society: Integration of capillary de-
mobile applications are used to interconnect, commu-
vices with high usability based on cyberphysi-
nicate, and control various CPS systems [71]. Thus, in-
cal system,” Future Generation Computer Systems,
vestigating these environments of small devices such as
vol. 56, pp. 493 – 503, 2016.
phones and tablets can be one of the future research
2. A. A. Cardenas, S. Amin, and S. Sastry, “Se-
targets.
cure control: Towards survivable cyber-physical
systems,” in 2008 The 28th International Con-
9 Conclusion ference on Distributed Computing Systems Work-
shops, pp. 495–500, June 2008.
Increasingly, our modernized aspects of life is depend- 3. E. A. Lee, “Cyber physical systems: Design chal-
ing on various Cyber Physical Systems (CPS). In the lenges,” in 2008 11th IEEE International Sym-
same time, the speed of securing these systems does not posium on Object and Component-Oriented Real-
match the speed of our adaption of these CPS, which Time Distributed Computing (ISORC), pp. 363–
are vulnerable to be attacked and compromised by var- 369, May 2008.
ious means. This emphasizes the need to invest more in 4. H. Ning, H. Liu, J. Ma, L. T. Yang, and R. Huang,
related research. The focus of this paper is the Mem- “Cybermatics: Cyberphysicalsocialthinking hyper-
ory Forensics and the post-mortem analysis that can space based science and technology,” Future Gen-
be employed to investigate these attacks and help ap- eration Computer Systems, vol. 56, pp. 504 – 522,
prehend the criminals. It utilizes information from the 2016.
source code of a program and employs program’s ex- 5. B. Schatz and M. Cohen, “Advances in volatile
ecution data during various execution states to help memory forensics,” Digital Investigation, vol. 20,
the digital investigators establish the evidence against no. Supplement C, p. 1, 2017. Special Issue on
a perpetrator. This will permit law enforcement agen- Volatile Memory Analysis.
cies to take legal actions against criminals in the court 6. A. Case and G. G. Richard, “Memory forensics:
of law. Our practical experimentation is based on Java, The path forward,” Digital Investigation, vol. 20,
which is one of the most widely used programming lan- no. Supplement C, pp. 23 – 33, 2017. Special Issue
guages. Memory footprints from similar programs that on Volatile Memory Analysis.
are written in Java are compared on different platforms; 7. C. W. Tien, J. W. Liao, S. C. Chang, and S. Y.
including MS Windows 10 Pro, Mac OS X, and Fedora Kuo, “Memory forensics using virtual machine in-
26. However, experimentally, we found that when it trospection for malware analysis,” in 2017 IEEE
16 Ziad A. Al-Sharif* et al.
Conference on Dependable and Secure Computing, 19. J. Wu, S. Guo, J. Li, and D. Zeng, “Big data meet
pp. 518–519, Aug 2017. green challenges: Greening big data,” IEEE Sys-
8. P. Ammann and J. Offutt, Introduction to software tems Journal, vol. 10, pp. 873–887, Sept 2016.
testing. Cambridge University Press, 2016. 20. R. Atat, L. Liu, H. Chen, J. Wu, H. Li, and Y. Yi,
9. A. Pridgen, S. Garfinkel, and D. S. Wallach, “Pick- “Enabling cyber-physical communication in 5g cel-
ing up the trash: Exploiting generational gc for lular networks: challenges, spatial spectrum sens-
memory analysis,” Digital Investigation, vol. 20, ing, and cyber-security,” IET Cyber-Physical Sys-
no. Supplement, pp. S20 – S28, 2017. DFRWS 2017 tems: Theory Applications, vol. 2, no. 1, pp. 49–54,
Europe. 2017.
10. N. H. A. Rahman, W. B. Glisson, Y. Yang, and 21. J. An, K. Yang, J. Wu, N. Ye, S. Guo, and Z. Liao,
K. K. R. Choo, “Forensic-by-design framework for “Achieving sustainable ultra-dense heterogeneous
cyber-physical cloud systems,” IEEE Cloud Com- networks for 5g,” IEEE Communications Maga-
puting, vol. 3, pp. 50–59, Jan 2016. zine, vol. 55, pp. 84–90, DECEMBER 2017.
11. Y. Shoukry, M. Chong, M. Wakaiki, P. Nuzzo, 22. R. Roman, J. Lopez, and M. Mambo, “Mobile edge
A. Sangiovanni-Vincentelli, S. A. Seshia, J. P. Hes- computing, fog et al.: A survey and analysis of se-
panha, and P. Tabuada, “Smt-based observer de- curity threats and challenges,” Future Generation
sign for cyber-physical systems under sensor at- Computer Systems, vol. 78, pp. 680 – 698, 2018.
tacks,” ACM Trans. Cyber-Phys. Syst., vol. 2, 23. Y. Liu, A. Liu, S. Guo, Z. Li, Y.-J. Choi, and
pp. 5:1–5:27, Jan. 2018. H. Sekiya, “Context-aware collect data with en-
12. F. Hu, Y. Lu, A. V. Vasilakos, Q. Hao, R. Ma, ergy efficient in cyberphysical cloud systems,” Fu-
Y. Patil, T. Zhang, J. Lu, X. Li, and N. N. Xiong, ture Generation Computer Systems, 2017.
“Robust cyberphysical systems: Concept, models, 24. C. Huang, R. Lu, and K. K. R. Choo, “Vehicular fog
and implementation,” Future Generation Computer computing: Architecture, use case, and security and
Systems, vol. 56, pp. 449 – 475, 2016. forensic challenges,” IEEE Communications Maga-
13. V. R. Kebande and I. Ray, “A generic digital foren- zine, vol. 55, pp. 105–111, NOVEMBER 2017.
sic investigation framework for internet of things 25. D. Ding, Q.-L. Han, Y. Xiang, X. Ge, and X.-M.
(iot),” in 2016 IEEE 4th International Conference Zhang, “A survey on security control and attack de-
on Future Internet of Things and Cloud (FiCloud), tection for industrial cyber-physical systems,” Neu-
pp. 356–362, Aug 2016. rocomputing, vol. 275, pp. 1674 – 1683, 2018.
14. A. Jones, S. Vidalis, and N. Abouzakhar, “Infor- 26. M. Erol-Kantarci and H. T. Mouftah, “Smart grid
mation security and digital forensics in the world forensic science: applications, challenges, and open
of cyber physical systems,” in 2016 Eleventh Inter- issues,” IEEE Communications Magazine, vol. 51,
national Conference on Digital Information Man- no. 1, pp. 68–74, 2013.
agement (ICDIM), pp. 10–14, Sept 2016. 27. Y. Mo, T. H. J. Kim, K. Brancik, D. Dickinson,
15. V. Hahanov, E. Litvinova, S. Chumachenko, and H. Lee, A. Perrig, and B. Sinopoli, “Cyber-physical
A. Hahanova, “Cyber physical computing,” in Cy- security of a smart grid infrastructure,” Proceedings
ber Physical Computing for IoT-driven Services, of the IEEE, vol. 100, pp. 195–209, Jan 2012.
pp. 1–20, Springer, 2018. 28. M. Wolf and D. Serpanos, “Safety and security in
16. J. Wu, S. Guo, H. Huang, W. Liu, and Y. Xi- cyber-physical systems and internet-of-things sys-
ang, “Information and communications technolo- tems,” Proceedings of the IEEE, vol. 106, pp. 9–20,
gies for sustainable development goals: State-of- Jan 2018.
the-art, needs and perspectives,” IEEE Communi- 29. X. Chang, Z. Ma, M. Lin, Y. Yang, and
cations Surveys Tutorials, vol. PP, no. 99, pp. 1–1, A. G. Hauptmann, “Feature interaction augmented
2018. sparse learning for fast kinect motion detection,”
17. K. Hamedani, L. Liu, R. Atat, J. Wu, and Y. Yi, IEEE Transactions on Image Processing, vol. 26,
“Reservoir computing meets smart grids: Attack pp. 3911–3920, Aug 2017.
detection using delayed feedback networks,” IEEE 30. X. Chang, Z. Ma, Y. Yang, Z. Zeng, and
Transactions on Industrial Informatics, vol. 14, A. G. Hauptmann, “Bi-level semantic representa-
pp. 734–743, Feb 2018. tion analysis for multimedia event detection,” IEEE
18. J. Wu, S. Guo, J. Li, and D. Zeng, “Big data meet Transactions on Cybernetics, vol. 47, pp. 1180–
green challenges: Big data toward green applica- 1197, May 2017.
tions,” IEEE Systems Journal, vol. 10, pp. 888–900, 31. X. Chang and Y. Yang, “Semisupervised feature
Sept 2016. analysis by mining correlations among multiple
Live Forensics of Software Attacks on Cyber Physical Systems 17
tasks,” IEEE Transactions on Neural Networks and pp. S66 – S75, 2016.
Learning Systems, vol. 28, pp. 2294–2305, Oct 2017. 45. S. Klber, A. Dewald, and F. C. Freiling, “Foren-
32. X. Chang, Y. L. Yu, Y. Yang, and E. P. Xing, sic application-fingerprinting based on file system
“Semantic pooling for complex event analysis in metadata,” in 2013 Seventh International Confer-
untrimmed videos,” IEEE Transactions on Pat- ence on IT Security Incident Management and IT
tern Analysis and Machine Intelligence, vol. 39, Forensics, pp. 98–112, March 2013.
pp. 1617–1632, Aug 2017. 46. D. DiMase, Z. A. Collier, K. Heffner, and I. Linkov,
33. Z. Li, F. Nie, X. Chang, and Y. Yang, “Beyond “Systems engineering framework for cyber physical
trace ratio: Weighted harmonic mean of trace ra- security and resilience,” Environment Systems and
tios for multiclass discriminant analysis,” IEEE Decisions, vol. 35, pp. 291–300, Jun 2015.
Transactions on Knowledge and Data Engineering, 47. L. Caviglione, S. Wendzel, and W. Mazurczyk,
vol. 29, pp. 2100–2110, Oct 2017. “The future of digital forensics: Challenges and
34. K. K. R. Choo, M. M. Kermani, R. Azarderakhsh, the road ahead,” IEEE Security Privacy, vol. 15,
and M. Govindarasu, “Emerging embedded and cy- pp. 12–17, November 2017.
ber physical system security challenges and innova- 48. A. Hahn, A. Ashok, S. Sridhar, and M. Govin-
tions,” IEEE Transactions on Dependable and Se- darasu, “Cyber-physical security testbeds: Archi-
cure Computing, vol. 14, pp. 235–236, May 2017. tecture, application, and evaluation for smart grid,”
35. Y. Li, L. Zhang, H. Zheng, X. He, S. Peeta, IEEE Transactions on Smart Grid, vol. 4, pp. 847–
T. Zheng, and Y. Li, “Nonlane-discipline-based 855, June 2013.
car-following model for electric vehicles in 49. S. Zonouz, K. M. Rogers, R. Berthier, R. B. Bobba,
transportation- cyber-physical systems,” IEEE W. H. Sanders, and T. J. Overbye, “Scpse: Security-
Transactions on Intelligent Transportation Sys- oriented cyber-physical state estimation for power
tems, vol. 19, pp. 38–47, Jan 2018. grid critical infrastructures,” IEEE Transactions
36. R. W. Atherton, “Moving java to the factory,” on Smart Grid, vol. 3, pp. 1790–1799, Dec 2012.
IEEE Spectrum, vol. 35, pp. 18–23, Dec 1998. 50. G. Grispos, W. B. Glisson, and K. K. R. Choo,
37. J. F. Baquero, J. E. Camargo, F. Restrepo-Calle, “Medical cyber-physical systems development: A
J. H. Aponte, and F. A. González, Predicting forensics-driven approach,” in 2017 IEEE/ACM
the Programming Language: Extracting Knowledge International Conference on Connected Health: Ap-
from Stack Overflow Posts, pp. 199–210. Cham: plications, Systems and Engineering Technologies
Springer International Publishing, 2017. (CHASE), pp. 108–113, July 2017.
38. W. R. Stevens and S. A. Rago, Advanced program- 51. E. Sohl, C. Fielding, T. Hanlon, J. Rrushi,
ming in the UNIX environment. Addison-Wesley, H. Farhangi, C. Howey, K. Carmichael, and
2013. J. Dabell, “A field study of digital forensics of in-
39. D. P. Bovet and M. Cesati, Understanding the trusions in the electrical power grid,” in Proceed-
Linux Kernel: from I/O ports to process manage- ings of the First ACM Workshop on Cyber-Physical
ment. ” O’Reilly Media, Inc.”, 2005. Systems-Security and/or PrivaCy, CPS-SPC ’15,
40. J. Gosling, B. Joy, G. Steele, G. Bracha, (New York, NY, USA), pp. 113–122, ACM, 2015.
and A. Buckley, “The java virtual machine 52. S. A. Boyer, SCADA: supervisory control and data
specification-java se 8 edition, feb. 2015.” acquisition. International Society of Automation,
41. S. Nadi and R. Holt, “The linux kernel: A case 2009.
study of build system variability,” Journal of Soft- 53. J. Parry, D. Hunter, K. Radke, and C. Fidge,
ware: Evolution and Process, vol. 26, no. 8, pp. 730– “A network forensics tool for precise data packet
746, 2014. capture and replay in cyber-physical systems,” in
42. A. Josey, D. Cragun, N. Stoughton, M. Brown, Proceedings of the Australasian Computer Science
C. Hughes, et al., “The open group base specifi- Week Multiconference, ACSW ’16, (New York, NY,
cations issue 6 ieee std 1003.1,” The IEEE and The USA), pp. 22:1–22:10, ACM, 2016.
Open Group, vol. 20, no. 6, 2004. 54. J. M. Taylor and H. R. Sharif, “Security chal-
43. H. Schildt, Java: The Complete Reference. lenges and methods for protecting critical infras-
McGraw-Hill Education Group, 2014. tructure cyber-physical systems,” in 2017 Inter-
44. K. Conlan, I. Baggili, and F. Breitinger, “Anti- national Conference on Selected Topics in Mobile
forensics: Furthering digital forensic science and Wireless Networking (MoWNeT), pp. 1–6, May
through a new extended, granular taxonomy,” 2017.
Digital Investigation, vol. 18, no. Supplement,
18 Ziad A. Al-Sharif* et al.
55. J. Giraldo, E. Sarkar, A. A. Cardenas, M. Mani- Word Documents, pp. 179–185. Cham: Springer
atakos, and M. Kantarcioglu, “Security and privacy International Publishing, 2018.
in cyber-physical systems: A survey of surveys,” 64. M. I. Al-Saleh, F. M. AbuHjeela, and Z. A. Al-
IEEE Design Test, vol. 34, pp. 7–17, Aug 2017. Sharif, “Investigating the detection capabilities of
56. M. Rafique and M. Khan, “Exploring static and antiviruses under concurrent attacks,” Interna-
live digital forensics: Methods, practices and tools,” tional Journal of Information Security, vol. 14,
International Journal of Scientific & Engineering no. 4, pp. 387–396, 2015.
Research, vol. 4, no. 10, pp. 1048–1056, 2013. 65. V. S. Harichandran, D. Walnycky, I. Baggili, and
57. F. N. Dezfoli, A. Dehghantanha, R. Mahmoud, F. Breitinger, “Cufa: A more formal definition
N. F. B. M. Sani, and F. Daryabar, “Digital forensic for digital forensic artifacts,” Digital Investigation,
trends and future,” International Journal of Cyber- vol. 18, pp. S125–S137, 2016.
Security and Digital Forensics (IJCSDF), vol. 2, 66. A. F. Shosha, L. Tobin, and P. Gladyshev, “Digital
no. 2, pp. 48–76, 2013. forensic reconstruction of a program action,” in Se-
58. L. Cai, J. Sha, and W. Qian, “Study on forensic curity and Privacy Workshops (SPW), 2013 IEEE,
analysis of physical memory,” in the proceedings of pp. 119–122, IEEE, 2013.
2nd International Symposium on Computer, Com- 67. E. Chan, W. Wan, A. Chaugule, and R. Camp-
munication, Control and Automation (3CA 2013), bell, “A framework for volatile memory forensics,”
pp. 221–224, 2013. in Proceedings of the16th ACM conference on com-
59. Z. A. Al-Sharif, “Utilizing programs execution data puter and communications security, 2009.
for digital forensics,” in The Third International 68. F. Olajide, N. Savage, G. Akmayeva, and
Conference on Digital Security and Forensics (Dig- C. Shoniregun, “Identifying and finding forensic
italSec2016), p. 12, 2016. evidence on windows application,” Journal of In-
60. M. I. Al-Saleh and Z. A. Al-Sharif, “Utilizing data ternet Technology and Secured Transactions, ISSN,
lifetime of tcp buffers in digital forensics: Empirical pp. 2046–3723, 2012.
study,” Digital Investigation, vol. 9, no. 2, pp. 119– 69. J. Stüttgen, S. Vömel, and M. Denzel, “Acquisi-
124, 2012. tion and analysis of compromised firmware using
61. Z. A. Al-Sharif, D. N. Odeh, and M. I. Al-Saleh, memory forensics,” Digital Investigation, vol. 12,
“Towards carving pdf files in the main memory,” pp. S50–S60, 2015.
in The International Technology Management Con- 70. N. K. Shashidhar and D. Novak, “Digital forensic
ference (ITMC2015), pp. 24–31, The Society of analysis on prefetch files,” International Journal of
Digital Information and Wireless Communication Information Security Science, vol. 4, no. 2, pp. 39–
(SDIWC), 2015. 49, 2015.
62. M. Al-Saleh and Z. Al-Sharif, “Ram forensics 71. X. Hu, T. H. S. Chu, H. C. B. Chan, and
against cyber crimes involving files,” in The Second V. C. M. Leung, “Vita: A crowdsensing-oriented
International Conference on Cyber Security, Cy- mobile cyber-physical system,” IEEE Transactions
ber Peacefare and Digital Forensic (CyberSec2013), on Emerging Topics in Computing, vol. 1, pp. 148–
pp. 189–197, The Society of Digital Information 165, June 2013.
and Wireless Communication (SDIWC), 2013.
63. Z. A. Al-Sharif, H. Bagci, T. A. Zaitoun, and
A. Asad, Towards the Memory Forensics of MS
Ziad A. Al‐SSharif is currrently an asssistant proffessor at Jorrdan Universsity of Science and Tech
hnology, Irbid,
Jordan. He jjoined the Deepartment o of Software EEngineering in n February o
of 2010. Dr. A Al‐Sharif receeived his Ph.D
D.
degree in Computer Science in Deceember of 200 09 from the University of Idaho, USA A. He also recceived his MS.
degree in Computer Science in Augu ust of 2005 ffrom New M Mexico State University, U USA. His reseearch interests
are in digitaal forensics, ssoftware enggineering, clo oud computin ng, and collab
borative virtu ual environmments.
Luay Alawnneh is an asssistant profeessor in the Departmentt of Software Engineerin
ng at Jordan University o
of
Science andd Technologyy, Irbid, Jordaan. His reseaarch interestss are software engineering, softwaree maintenancce
and evolutioon, big data analytics, paarallel processsing and higgh performan nce computing systems. Luay receiveed
a PhD in eelectrical an
nd computer engineerin ng from Co
oncordia Uniiversity. In addition to his researcch
achievemen nts, Luay possesses excellent industriaal experiencee gained from m prestigiouss North American firms.
Yaser Jararwweh received d his Ph.D. in
n Computer Engineering from Univerrsity of Arizon na in 2010. H
He is currenttly
an associatee professor oof Computer Science at Jo ordan Univerrsity of Scien nce and Technology, Jordan. He has co o‐
authored about seventyy technical papers
p in esstablished journals and cconferences in fields related to clouud
computing, HPC, SDN aand Big Datta. He was o one of the TTPC Co‐Chaiir, IEEE Glob
becom 2013 International
Workshop o on Cloud Com mputing Systtems, and Neetworks, and d Application ns (CCSNA). H He is a steering committeee
member forr CCSNA 2014 and CCSNA A 2015 with ICC. He is the General Co o‐Chair in IEEEE Internatioonal Worksho op
on Softwaree Defined Syystems SDS‐2014 and SD DS 2015. He is also chaiiring many IEEE events ssuch as ICIC
CS,
SNAMS, BD DSN, IoTSMS and many others.
o Dr. JJararweh serrved as a gu
uest editor ffor many speecial issues in
different established jouurnals. Also, he is the steeering committee chair off the IBM Cloud Academyy Conference.