Kernel Data Structures Forensic Technology Using Linked List Oriented Points-to Graph

The technology of the data structures forensics, which uses signatures to recognize instances of the target data structures from memory image, plays a very important role in the fields of security and forensics applications. The signatures are generated according characteristics of data structures at the condition of knowing the source code.In general, the result of recognizing the target data structures instances depends on the signatures to use. According the characteristics of signatures, existing foren-sics are divided into two categories. One uses the value invariants of certain fields as data structure signatures, while the other use points-to graphs of pointers as data structure signatures. Although these technologies can effectively recognize the kernel data structures, but there are still some shortcomings. For example, value invariants based forensics face false positive, insufficiency robust etc problem. While points-to graphes based forensics can’t distinguish pointer type variables from other variables easily, resulting void pointer,NULL pointer etc problems, affecting recognition accura-cy. In addition, points fields in points-to graphes are easy to be tampered, and robust is also not well.Against to the existing shortcomings, in this paper, we propose a new kernel data structures forensic technology. The core of our forensic technology is to use a new kernel data structures signatures, which originates from the priori knowledge of Linux linked list object. In general, our new signatures are divided into two types. One use the linked list fields offsets sequences as Signatures, while the other one use poits-to graph, which are generated from both of linked list fields and pointer fields in data structures. In our Signatures generating algorithm, if the linked list fields offsets sequences are enough unique to distinguish the instances of the data structures, we will fist choose this kind signatures. In comparing with the previous work, our forensics technology has some advances in identifying accuracy, robust and speed.