{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,1]],"date-time":"2026-02-01T07:01:47Z","timestamp":1769929307173,"version":"3.49.0"},"reference-count":49,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2021,11,23]],"date-time":"2021-11-23T00:00:00Z","timestamp":1637625600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"European Research Council"},{"name":"European Unions Horizon 2020","award":["771844 BitCrumbs, and 786669 (ReAct)"],"award-info":[{"award-number":["771844 BitCrumbs, and 786669 (ReAct)"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2022,2,28]]},"abstract":"<jats:p>Despite a considerable number of approaches that have been proposed to protect computer systems, cyber-criminal activities are on the rise and forensic analysis of compromised machines and seized devices is becoming essential in computer security.<\/jats:p>\n          <jats:p>\n            This article focuses on memory forensics, a branch of digital forensics that extract artifacts from the volatile memory. In particular, this article looks at a key ingredient required by memory forensics frameworks: a precise model of the OS kernel under analysis, also known as\n            <jats:italic>profile<\/jats:italic>\n            . By using the information stored in the profile, memory forensics tools are able to\n            <jats:italic>bridge the semantic gap<\/jats:italic>\n            and interpret raw bytes to extract evidences from a memory dump.\n          <\/jats:p>\n          <jats:p>\n            A big problem with profile-based solutions is that custom profiles must be created for each and every system under analysis. This is especially problematic for Linux systems, because profiles are not\n            <jats:italic>generic<\/jats:italic>\n            : they are strictly tied to a specific kernel version and to the configuration used to build the kernel. Failing to create a valid profile means that an analyst cannot unleash the true power of memory forensics and is limited to primitive carving strategies.\n          <\/jats:p>\n          <jats:p>\n            For this reason, in this article we present a novel approach that combines source code and binary analysis techniques to automatically generate a profile from a memory dump,\n            <jats:italic>without<\/jats:italic>\n            relying on any non-public information. Our experiments show that this is a viable solution and that profiles reconstructed by our framework can be used to run many plugins, which are essential for a successful forensics investigation.\n          <\/jats:p>","DOI":"10.1145\/3485471","type":"journal-article","created":{"date-parts":[[2021,11,23]],"date-time":"2021-11-23T23:50:55Z","timestamp":1637711455000},"page":"1-26","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":10,"title":["AutoProfile: Towards Automated Profile Generation for Memory Analysis"],"prefix":"10.1145","volume":"25","author":[{"given":"Fabio","family":"Pagani","sequence":"first","affiliation":[{"name":"UC Santa Barbara, USA"}]},{"given":"Davide","family":"Balzarotti","sequence":"additional","affiliation":[{"name":"Eurecom, France"}]}],"member":"320","published-online":{"date-parts":[[2021,11,23]]},"reference":[{"key":"e_1_3_2_2_2","article-title":"Bug 84052 - Using randomizing structure layout plugin in linux kernel compilation doesn\u2019t generate proper debuginfo","author":"Bugzilla GCC","year":"2018","unstructured":"GCC Bugzilla . 2018. Bug 84052 - Using randomizing structure layout plugin in linux kernel compilation doesn\u2019t generate proper debuginfo. Retrieved November 2020 from https:\/\/gcc.gnu.org\/bugzilla\/show_bug.cgi?id=84052.","journal-title":"https:\/\/gcc.gnu.org\/bugzilla\/show_bug.cgi?id=84052"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1145\/2896499"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2010.05.005"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2016.12.004"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-24174-6_4"},{"key":"e_1_3_2_7_2","unstructured":"Michael\n\t\t\t\t\t\t\tCohen\n\t\t\t\t\t. 2014. Rekall memory forensics framework. Retrieved October 15 2021 from www.rekall-forensic.com."},{"key":"e_1_3_2_8_2","article-title":"Using crash with structure layout randomized kernel","author":"List Redhat crash utility Mailing","year":"2018","unstructured":"Redhat crash utility Mailing List . 2018. Using crash with structure layout randomized kernel. Retrieved November 2020 from https:\/\/crash-utility.redhat.narkive.com\/WZYTWez6\/using-crash-with-structure-layout-randomized-kernel.","journal-title":"https:\/\/crash-utility.redhat.narkive.com\/WZYTWez6\/using-crash-with-structure-layout-randomized-kernel"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.5555\/1792734.1792766"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2011.11"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653730"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897850"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664248"},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1109\/WCRE.2011.49"},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.40"},{"key":"e_1_3_2_16_2","article-title":"ksfinder - Retrieve exported kernel symbols from physical memory dumps","author":"Graziano Mariano","year":"2016","unstructured":"Mariano Graziano . 2016. ksfinder - Retrieve exported kernel symbols from physical memory dumps. Retrieved November 2020 from https:\/\/github.com\/emdel\/ksfinder.","journal-title":"https:\/\/github.com\/emdel\/ksfinder"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359820"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.45"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1145\/2556464.2556465"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2019.00058"},{"key":"e_1_3_2_21_2","volume-title":"Proceedings of the 19th Annual Network and Distributed System Security Symposium","author":"Lin Zhiqiang","year":"2012","unstructured":"Zhiqiang Lin , Junghwan Rhee , Chao Wu , Xiangyu Zhang , and Dongyan Xu . 2012. Dimsum: Discovering semantic data of interest from un-mappable memory with confidence. In Proceedings of the 19th Annual Network and Distributed System Security Symposium ."},{"key":"e_1_3_2_22_2","volume-title":"Proceedings of the Network and Distributed System Security Symposium","author":"Lin Zhiqiang","year":"2011","unstructured":"Zhiqiang Lin , Junghwan Rhee , Xiangyu Zhang , Dongyan Xu , and Xuxian Jiang . 2011. SigGraph: Brute force scanning of kernel data structure instances using graph-based signatures. In Proceedings of the Network and Distributed System Security Symposium ."},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-02918-9_7"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.5555\/2788959.2788964"},{"key":"e_1_3_2_25_2","article-title":"System v application binary interface","volume":"99","author":"Matz Michael","year":"2013","unstructured":"Michael Matz , Jan Hubicka , Andreas Jaeger , and Mark Mitchell . 2013. System v application binary interface. AMD64 Architecture Processor Supplement, Draft v0 99, (2013), 57.","journal-title":"AMD64 Architecture Processor Supplement, Draft v0"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2017.7884661"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.5555\/645393.651886"},{"key":"e_1_3_2_28_2","article-title":"LKRG - Linux Kernel Runtime Guard","year":"2020","unstructured":"Openwall.org . 2020. LKRG - Linux Kernel Runtime Guard. Retrieved November 2020 from https:\/\/www.openwall.com\/lkrg\/.","journal-title":"https:\/\/www.openwall.com\/lkrg\/"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.5555\/3361338.3361460"},{"key":"e_1_3_2_30_2","volume-title":"Proceedings of the Symposium on Network and Distributed System Security","author":"Pustogarov Ivan","year":"2020","unstructured":"Ivan Pustogarov , Qian Wu , and Lie David . 2020. Ex-vivo dynamic analysis framework for android device drivers. In Proceedings of the Symposium on Network and Distributed System Security ."},{"key":"e_1_3_2_31_1","unstructured":"Nguyen Anh\n\t\t\t\t\t\t\tQuynh\n\t\t\t\t\t\t and \n\t\t\t\t\t\t\tDang Hoang\n\t\t\t\t\t\t\tVu\n\t\t\t\t\t. 2015. Unicorn-The ultimate CPU emulator."},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.5555\/3241189.3241251"},{"key":"e_1_3_2_33_2","article-title":"Toward trusted sensing for the cloud: Introducing Project Freta","author":"Research Microsoft","year":"2020","unstructured":"Microsoft Research . 2020. Toward trusted sensing for the cloud: Introducing Project Freta. Retrieved November 2020 from https:\/\/www.microsoft.com\/en-us\/research\/blog\/toward-trusted-sensing-for-the-cloud-introducing-project-freta\/.","journal-title":"https:\/\/www.microsoft.com\/en-us\/research\/blog\/toward-trusted-sensing-for-the-cloud-introducing-project-freta\/"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.5555\/2838421.2838453"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2010.08.002"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.17"},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1145\/1851276.1851280"},{"key":"e_1_3_2_38_2","volume-title":"Proceedings of the Symposium on Network and Distributed System Security","author":"Slowinska Asia","year":"2011","unstructured":"Asia Slowinska , Traian Stancescu , and Herbert Bos . 2011. Howard: A dynamic excavator for reverse engineering data structures. In Proceedings of the Symposium on Network and Distributed System Security ."},{"key":"e_1_3_2_39_2","doi-asserted-by":"crossref","unstructured":"Arkadiusz\n\t\t\t\t\t\t\tSoca\u0142a\n\t\t\t\t\t\t and \n\t\t\t\t\t\t\tMichael\n\t\t\t\t\t\t\tCohen\n\t\t\t\t\t. 2016. Automatic profile generation for live linux memory analysis. In Proceedings of the Third Annual DFRWS Europe (DFRWS\u201916) Volume 38.","DOI":"10.1016\/j.diin.2016.01.004"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243813"},{"key":"e_1_3_2_41_2","article-title":"Grsecurity","author":"Spengler Bradley","year":"2006","unstructured":"Bradley Spengler . 2006. Grsecurity. Internet Retrieved May 27, 2006 from http:\/\/grsecurity.net\/lsm.php.","journal-title":"Internet Retrieved May 27, 2006 from http:\/\/grsecurity.net\/lsm.php."},{"key":"e_1_3_2_42_2","article-title":"Universal memory forensic analysis of Android systems","author":"Sviderski Pavel","year":"2016","unstructured":"Pavel Sviderski . 2016. Universal memory forensic analysis of Android systems. Retrieved November 2020 from https:\/\/github.com\/psviderski\/volatility-android.","journal-title":"https:\/\/github.com\/psviderski\/volatility-android"},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.1109\/SCAM.2010.24"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11212-1_14"},{"key":"e_1_3_2_45_2","article-title":"Volatility profiles for Linux and Mac OS X","year":"2021","unstructured":"VolatilityFoundation . 2021. Volatility profiles for Linux and Mac OS X. Retrieved November 2020 from https:\/\/github.com\/volatilityfoundation\/profiles.","journal-title":"https:\/\/github.com\/volatilityfoundation\/profiles"},{"key":"e_1_3_2_46_2","unstructured":"Aaron\n\t\t\t\t\t\t\tWalters\n\t\t\t\t\t. 2007. The volatility framework: Volatile memory artifact extraction utility framework. Retrieved March 19 2015 from https:\/\/www.volatilesystems.com\/default\/volatility."},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICAC.2016.46"},{"key":"e_1_3_2_48_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.44"},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1186\/s13635-016-0038-z"},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-10-6385-5_32"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3485471","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3485471","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T19:30:15Z","timestamp":1750188615000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3485471"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,23]]},"references-count":49,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,2,28]]}},"alternative-id":["10.1145\/3485471"],"URL":"https:\/\/doi.org\/10.1145\/3485471","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,11,23]]},"assertion":[{"value":"2020-12-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-09-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-11-23","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}