{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2024,9,11]],"date-time":"2024-09-11T07:23:00Z","timestamp":1726039380333},"publisher-location":"Cham","reference-count":24,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783030268336"},{"type":"electronic","value":"9783030268343"}],"license":[{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2019]]},"DOI":"10.1007\/978-3-030-26834-3_23","type":"book-chapter","created":{"date-parts":[[2019,8,6]],"date-time":"2019-08-06T23:05:29Z","timestamp":1565132729000},"page":"391-409","update-policy":"http:\/\/dx.doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Toward the Analysis of Distributed Code Injection in Post-mortem Forensics"],"prefix":"10.1007","author":[{"given":"Yuto","family":"Otsuki","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yuhei","family":"Kawakoya","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Makoto","family":"Iwamura","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jun","family":"Miyoshi","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jacob","family":"Faires","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Terrence","family":"Lillard","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2019,7,24]]},"reference":[{"issue":"Suppl.","key":"23_CR1","doi-asserted-by":"publisher","first-page":"114","DOI":"10.1016\/j.diin.2007.06.010","volume":"4","author":"AR Arasteh","year":"2007","unstructured":"Arasteh, A.R., Debbabi, M.: Forensic memory analysis: from stack and code to execution history. Digit. Invest. 4(Suppl.), 114\u2013125 (2007)","journal-title":"Digit. Invest."},{"key":"23_CR2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"209","DOI":"10.1007\/978-3-319-60876-1_10","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"T Barabosch","year":"2017","unstructured":"Barabosch, T., Bergmann, N., Dombeck, A., Padilla, E.: Quincy: detecting host-based code injection attacks in memory dumps. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 209\u2013229. Springer, Cham (2017). \n https:\/\/doi.org\/10.1007\/978-3-319-60876-1_10"},{"key":"23_CR3","unstructured":"CodeMachine Inc.: CodeMachine \u2013 Article \u2013 Catalog of key Windows kernel data structures. \n https:\/\/www.codemachine.com\/article_kernelstruct.html\n \n . Accessed 02 Apr 2019"},{"key":"23_CR4","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1016\/j.diin.2017.02.005","volume":"20","author":"M Cohen","year":"2017","unstructured":"Cohen, M.: Scanning memory with Yara. Digit. Invest. 20, 34\u201343 (2017). \n https:\/\/doi.org\/10.1016\/j.diin.2017.02.005","journal-title":"Digit. Invest."},{"key":"23_CR5","unstructured":"FireEye, Inc.: M-trends (2019). \n https:\/\/content.fireeye.com\/m-trends\n \n . Accessed 02 Apr 2019"},{"key":"23_CR6","unstructured":"Google Inc.: Rekall memory forensic framework. \n http:\/\/www.rekall-forensic.com\/\n \n . Accessed 02 Apr 2019"},{"key":"23_CR7","unstructured":"Hammond, A.: Hunting for gargoyle memory scanning evasion. \n https:\/\/www.countercept.com\/blog\/hunting-for-gargoyle\/\n \n . Accessed 02 Apr 2019"},{"issue":"Suppl.","key":"23_CR8","doi-asserted-by":"publisher","first-page":"S121","DOI":"10.1016\/j.diin.2009.06.003","volume":"6","author":"SM Hejazi","year":"2009","unstructured":"Hejazi, S.M., Talhi, C., Debbabi, M.: Extraction of forensically sensitive information from windows physical memory. Digit. Invest. 6(Suppl.), S121\u2013S131 (2009)","journal-title":"Digit. Invest."},{"key":"23_CR9","unstructured":"HexHive: Github \u2013 hexhive\/malwash. \n https:\/\/github.com\/HexHive\/malWASH\n \n . Accessed 02 Apr 2019"},{"key":"23_CR10","unstructured":"Ispoglou, K.K., Payer, M.: malWASH: washing malware to evade dynamic analysis. In: 10th USENIX Workshop on Offensive Technologies (WOOT 2016). USENIX Association (2016)"},{"key":"23_CR11","unstructured":"KSLGroup: Github \u2013 kslgroup\/process-doppelganging-doppelfind: a volatility plugin to detect process doppelganging. \n https:\/\/github.com\/kslgroup\/Process-Doppelganging-Doppelfind\n \n . Accessed 02 Apr 2019"},{"key":"23_CR12","unstructured":"Leitch, J.: Process hollowing. \n https:\/\/www.autosectools.com\/Process-Hollowing.html\n \n . Accessed 02 Apr 2019"},{"key":"23_CR13","unstructured":"Liberman, T., Kogan, E.: Lost in transaction: process doppelg\u00e4nging. Black Hat Europe 2017 (2017)"},{"key":"23_CR14","unstructured":"Lospinoso, J.: Gargoyle, a memory scanning evasion technique. \n https:\/\/lospi.net\/security\/assembly\/c\/cpp\/developing\/software\/2017\/03\/04\/gargoyle-memory-analysis-evasion.html\n \n . Accessed 02 Apr 2019"},{"key":"23_CR15","unstructured":"Microsoft: Singly and doubly linked lists \u2013 Windows drivers\u2014Microsoft docs. \n https:\/\/docs.microsoft.com\/en-us\/windows-hardware\/drivers\/kernel\/singly-and-doubly-linked-lists\n \n . Accessed 02 Apr 2019"},{"key":"23_CR16","unstructured":"Microsoft: Transactional NTFS (TxF) \u2013 Windows applications\u2014Microsoft docs. \n https:\/\/docs.microsoft.com\/ja-jp\/windows\/desktop\/FileIO\/transactional-ntfs-portal\n \n . Accessed 02 Apr 2019"},{"key":"23_CR17","unstructured":"Monnappa, K.A.: Detecting deceptive process hollowing techniques using hollowfind volatility plugin - cysinfo. \n https:\/\/cysinfo.com\/detecting-deceptive-hollowing-techniques\/\n \n . Accessed 02 Apr 2019"},{"key":"23_CR18","doi-asserted-by":"publisher","first-page":"S101","DOI":"10.1016\/j.diin.2018.01.013","volume":"24","author":"Y Otsuki","year":"2018","unstructured":"Otsuki, Y., Kawakoya, Y., Iwamura, M., Miyoshi, J., Ohkubo, K.: Building stack traces from memory dump of windows x64. Digit. Invest. 24, S101\u2013S110 (2018). \n https:\/\/doi.org\/10.1016\/j.diin.2018.01.013","journal-title":"Digit. Invest."},{"key":"23_CR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"199","DOI":"10.1007\/978-3-319-45744-4_10","volume-title":"Computer Security \u2013 ESORICS 2016","author":"G P\u00e9k","year":"2016","unstructured":"P\u00e9k, G., L\u00e1z\u00e1r, Z., V\u00e1rnagy, Z., F\u00e9legyh\u00e1zi, M., Butty\u00e1n, L.: Membrane: a posteriori detection of malicious code loading by memory paging analysis. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 199\u2013216. Springer, Cham (2016). \n https:\/\/doi.org\/10.1007\/978-3-319-45744-4_10"},{"key":"23_CR20","unstructured":"Pshoul, D.: Community\/dimapshoul at master \n \n \n \n $$\\cdot $$\n volatilityfoundation\/community \n \n \n \n $$\\cdot $$\n github. \n https:\/\/github.com\/volatilityfoundation\/community\/tree\/master\/DimaPshoul\n \n . Accessed 02 Apr 2019"},{"key":"23_CR21","unstructured":"Pulley, C.: Github \u2013 carlpulley\/volatility: a collection of volatility framework plugins. \n https:\/\/github.com\/carlpulley\/volatility\n \n . Accessed 02 Apr 2019"},{"issue":"1","key":"23_CR22","doi-asserted-by":"publisher","first-page":"2:1","DOI":"10.1145\/2133375.2133377","volume":"15","author":"R Roemer","year":"2012","unstructured":"Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1), 2:1\u20132:34 (2012)","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"23_CR23","unstructured":"Smulders, E.: Github \u2013 dutchy-\/volatility-plugins: container for assorted volatility plugins. \n https:\/\/github.com\/Dutchy-\/volatility-plugins\n \n . Accessed 02 Apr 2019"},{"key":"23_CR24","unstructured":"The Volatility Foundation: The volatility foundation \u2013 open source memory forensics. \n http:\/\/www.volatilityfoundation.org\/\n \n . Accessed 02 Apr 2019"}],"container-title":["Lecture Notes in Computer Science","Advances in Information and Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-26834-3_23","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,8,6]],"date-time":"2019-08-06T23:07:13Z","timestamp":1565132833000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-030-26834-3_23"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019]]},"ISBN":["9783030268336","9783030268343"],"references-count":24,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-26834-3_23","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2019]]},"assertion":[{"value":"24 July 2019","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"IWSEC","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Workshop on Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Tokyo","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Japan","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2019","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"28 August 2019","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"30 August 2019","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"iwsec2019a","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.iwsec.org\/2019\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"61","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"18","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"5","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"30% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3.9","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"5.6","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"https:\/\/www.iwsec.org\/2019\/","order":10,"name":"additional_info_on_review_process","label":"Additional Info on Review Process","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}