Monitoring access to shared memory-mapped files

Christian G. Sarmoria, Steve J. Chapin

Research output: Contribution to conferencePaperpeer-review

5 Scopus citations


The post-mortem state of a compromised system may not contain enough evidence regarding what transpired during an attack to explain the attacker's modus operandi. Current systems that reconstruct sequences of events gather potential evidence at runtime by monitoring events and objects at the system call level. The reconstruction process starts with a detection point, such as a file with suspicious contents, and establishes a dependency chain with all the processes and files that could be related to the compromise, building a path back to the origin of the attack. However, system call support is lost after a file is memory-mapped because all read and write operations on the file in memory thereafter are through memory pointers. We present a runtime monitor to log read and write operations in memory-mapped files. The basic concept of our approach is to insert a page fault monitor in the kernel's memory management subsystem. This monitor guarantees the correct ordering of the logs that represent memory access events when two or more processes operate on a file in memory. Our monitor increases accuracy to current reconstruction systems by reducing search time, search space, and false dependencies.

Original languageEnglish (US)
StatePublished - 2005
Event5th Annual Digital Forensic Research Workshop, DFRWS 2005 - New Orleans, LA, United States
Duration: Aug 17 2005Aug 19 2005


Other5th Annual Digital Forensic Research Workshop, DFRWS 2005
Country/TerritoryUnited States
CityNew Orleans, LA


  • Causality
  • Event reconstruction
  • Memory access monitor
  • Memory mapping

ASJC Scopus subject areas

  • Information Systems


Dive into the research topics of 'Monitoring access to shared memory-mapped files'. Together they form a unique fingerprint.

Cite this