Published July 9, 2023 | Version v1
Other Open

Quasi-instantaneous consistency observation: Experimental data and source code

Authors/Creators

  • 1. Friedrich-Alexander Universität Erlangen-Nürnberg

Description

This archive contains the memory dumps and analysis results created for the paper "As if Time Had Stopped - Checking Memory Dumps for Quasi-Instantaneous Consistency", presented at DFRWS USA 2023. The source code used in the experiments and scripts for the analysis are included as well.

 

The folder Scripts contains the scripts used for the analysis of the memory dumps. A detailed description of the scripts (scriptsinfo.txt) is included in the folder.

The folder Src contains the source code of the pivot program, and instructions on how it can be used (srcinfo.txt). For more details please refer to the paper.

The memory dumps are contained in individual zip files in the folders Frozen and Live:

  • The folder Frozen contains the memory dumps (frozen_quasidumps.zip) created with the snapshot  mechanism of the VM and high activity. Additionally, heap dumps created from the memory dump are included (file name ends with "-heap") for compatibility with the current implementation of the quasiCheckDump.py script. The analysis results are contained under Frozen/Results.
  • The folder Live contains the memory dumps created with LiME with low (Folder: Low; Memory dumps: livelow_quasidumps.zip) and high (Folder: High; Memory dumps: livehigh_quasidumps.zip) activity. Additionally, the heap dumps created after the memory dump has been taken are included (file name ends with "-heap"). Details describing why this is necessary can be found in the paper. The analysis results are contained under Live/Low/Results and Live/High/Results. In the latter folder missingvma.txt indicates the single memory dump for which one of the analysis steps failed.
  • The Results folders always contain:
    • The heap of the pivot program extracted from the memory dump.
    • A csv file that summarizes the number of found counter (quasi-instantaneous) and VMA inconsistencies per memory dump.
    • csv files with the results of intermediate steps.
    • txt files with detailed tool output.
    • More details on the files are described in scriptsinfo.txt in the folder Scripts.

 

Files

quasiinstaconsistency.zip

Files (11.8 GB)

Name Size Download all
md5:0699db4df94eb52f2d0c9bd58916fc57
11.8 GB Preview Download