关于Apache2 web服务器内存取证的适用性

IF 2 4区 医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS
Jan-Niclas Hilgert, Roman Schell, Carlo Jakobs, Martin Lambertz
{"title":"关于Apache2 web服务器内存取证的适用性","authors":"Jan-Niclas Hilgert,&nbsp;Roman Schell,&nbsp;Carlo Jakobs,&nbsp;Martin Lambertz","doi":"10.1016/j.fsidi.2023.301610","DOIUrl":null,"url":null,"abstract":"<div><p>With the increasing use of the Internet for criminal activities, web servers have become more and more important during forensic investigations. In many cases, web servers are used to host leaked data, as a management interface for Command and Control servers, or as a platform for illicit content. As a result, extracting information from web servers has become a critical aspect of digital forensics. By default, a lot of information can already be extracted by performing traditional storage forensics including the analysis of logs. However this approach quickly reaches its limits as soon as anti-forensic techniques such as the deletion of configuration files or the deactivation of logging capabilities are implemented. This paper evaluates the feasibility of memory forensics as a complement to traditional storage forensics for cases involving web servers. For this purpose, we present a methodology for extracting forensically relevant artefacts from the memory of Apache web servers, which are among the most commonly used on the Internet. Through various experiments, we evaluate the applicability of our approach in different scenarios. In the process, we also take a closer look at the overall existence of digital traces, which cannot easily be found by following a structured approach. Our findings demonstrate that certain Apache web server structures contain important information that can be retrieved from memory even after the originating event has passed. Additionally, traces such as IP addresses were still found in memory even after complete structures were already overwritten by further interaction. These results highlight the benefits and the potential of memory analysis for web servers in digital investigations.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0000,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"About the applicability of Apache2 web server memory forensics\",\"authors\":\"Jan-Niclas Hilgert,&nbsp;Roman Schell,&nbsp;Carlo Jakobs,&nbsp;Martin Lambertz\",\"doi\":\"10.1016/j.fsidi.2023.301610\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>With the increasing use of the Internet for criminal activities, web servers have become more and more important during forensic investigations. In many cases, web servers are used to host leaked data, as a management interface for Command and Control servers, or as a platform for illicit content. As a result, extracting information from web servers has become a critical aspect of digital forensics. By default, a lot of information can already be extracted by performing traditional storage forensics including the analysis of logs. However this approach quickly reaches its limits as soon as anti-forensic techniques such as the deletion of configuration files or the deactivation of logging capabilities are implemented. This paper evaluates the feasibility of memory forensics as a complement to traditional storage forensics for cases involving web servers. For this purpose, we present a methodology for extracting forensically relevant artefacts from the memory of Apache web servers, which are among the most commonly used on the Internet. Through various experiments, we evaluate the applicability of our approach in different scenarios. In the process, we also take a closer look at the overall existence of digital traces, which cannot easily be found by following a structured approach. Our findings demonstrate that certain Apache web server structures contain important information that can be retrieved from memory even after the originating event has passed. Additionally, traces such as IP addresses were still found in memory even after complete structures were already overwritten by further interaction. These results highlight the benefits and the potential of memory analysis for web servers in digital investigations.</p></div>\",\"PeriodicalId\":48481,\"journal\":{\"name\":\"Forensic Science International-Digital Investigation\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":2.0000,\"publicationDate\":\"2023-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Forensic Science International-Digital Investigation\",\"FirstCategoryId\":\"3\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2666281723001221\",\"RegionNum\":4,\"RegionCategory\":\"医学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Forensic Science International-Digital Investigation","FirstCategoryId":"3","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2666281723001221","RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

随着犯罪活动越来越多地使用互联网,web服务器在司法调查中变得越来越重要。在许多情况下,web服务器被用来存放泄露的数据,作为命令和控制服务器的管理接口,或者作为非法内容的平台。因此,从web服务器中提取信息已成为数字取证的一个关键方面。默认情况下,已经可以通过执行传统的存储取证(包括日志分析)提取大量信息。但是,一旦实现了反取证技术(如删除配置文件或停用日志记录功能),这种方法就会很快达到其极限。本文评估了在涉及web服务器的情况下,内存取证作为传统存储取证的补充的可行性。为此,我们提出了一种从Apache web服务器(Internet上最常用的服务器之一)内存中提取法医相关工件的方法。通过各种实验,我们评估了我们的方法在不同场景下的适用性。在这个过程中,我们还仔细研究了数字痕迹的整体存在,这些痕迹不容易通过结构化的方法找到。我们的发现表明,某些Apache web服务器结构包含重要的信息,即使在原始事件过去之后,也可以从内存中检索到这些信息。此外,即使在完整的结构已经被进一步的交互覆盖之后,仍然可以在内存中找到诸如IP地址之类的痕迹。这些结果突出了在数字调查中对web服务器进行内存分析的好处和潜力。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
About the applicability of Apache2 web server memory forensics

With the increasing use of the Internet for criminal activities, web servers have become more and more important during forensic investigations. In many cases, web servers are used to host leaked data, as a management interface for Command and Control servers, or as a platform for illicit content. As a result, extracting information from web servers has become a critical aspect of digital forensics. By default, a lot of information can already be extracted by performing traditional storage forensics including the analysis of logs. However this approach quickly reaches its limits as soon as anti-forensic techniques such as the deletion of configuration files or the deactivation of logging capabilities are implemented. This paper evaluates the feasibility of memory forensics as a complement to traditional storage forensics for cases involving web servers. For this purpose, we present a methodology for extracting forensically relevant artefacts from the memory of Apache web servers, which are among the most commonly used on the Internet. Through various experiments, we evaluate the applicability of our approach in different scenarios. In the process, we also take a closer look at the overall existence of digital traces, which cannot easily be found by following a structured approach. Our findings demonstrate that certain Apache web server structures contain important information that can be retrieved from memory even after the originating event has passed. Additionally, traces such as IP addresses were still found in memory even after complete structures were already overwritten by further interaction. These results highlight the benefits and the potential of memory analysis for web servers in digital investigations.

求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
CiteScore
5.90
自引率
15.00%
发文量
87
审稿时长
76 days
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信