Privacy Aware Memory Forensics

TL;DR

This paper introduces a privacy-preserving memory forensics method that detects insider data leaks by analyzing RAM for sensitive information, balancing security needs with user privacy, demonstrated through a military case study.

Contribution

A novel approach that captures and analyzes RAM to detect insider data leaks without compromising user privacy, utilizing deep learning for context-aware identification.

Findings

Effective detection of sensitive data leaks in RAM

Maintains user privacy during forensic analysis

Validated with a military use case

Abstract

In recent years, insider threats and attacks have been increasing in terms of frequency and cost to the corporate business. The utilization of end-to-end encrypted instant messaging applications (WhatsApp, Telegram, VPN) by malicious insiders raised data breach incidents exponentially. The Securities and Exchange Board of India (SEBI) investigated reports on such data leak incidents and reported about twelve companies where earnings data and financial information were leaked using WhatsApp messages. Recent surveys indicate that 60% of data breaches are primarily caused by malicious insider threats. Especially, in the case of the defense environment, information leaks by insiders will jeopardize the countrys national security. Sniffing of network and host-based activities will not work in an insider threat detection environment due to end-to-end encryption. Memory forensics allows access to the messages sent or received over an end-to-end encrypted environment but with a total compromise of the users privacy. In this research, we present a novel solution to detect data leakages by insiders in an organization. Our approach captures the RAM of the insiders device and analyses it for sensitive information leaks from a host system while maintaining the users privacy. Sensitive data leaks are identified with context using a deep learning model. The feasibility and effectiveness of the proposed idea have been demonstrated with the help of a military use case. The proposed architecture can however be used across various use cases with minor modifications.