DIGITAL PROFILING OF CYBERCRIMINALS BASED ON WORKING MEMORY ARTIFACTS

Abstract

The article explores the possibilities of using the analysis of working memory artifacts of computer systems to identify signs of cybercriminal activity and form models of behavior of attackers in the digital environment. An approach to reconstructing technical actions during a cyber incident is proposed based on a comprehensive analysis of RAM dumps, which allows identifying active processes, network connections, interaction of system objects, and fragments of executable program code. The research methodology involves structural analysis of operating system processes, detection of anomalous startup parameters, study of process hierarchy, and analysis of network activity recorded in the system memory. Based on the results obtained, a sequence of actions of the attacker was reconstructed, which includes launching auxiliary processes, establishing a network connection with remote nodes, code injection, and execution of malicious commands. As a result of generalizing the detected artifacts, a model of behavioral patterns of cybercriminal activity was formed, which reflects the relationship between the attacker’s technical actions and digital traces in the RAM structure. The results obtained indicate that the analysis of RAM artifacts can be an effective digital forensics tool for detecting complex cyber incidents, reconstructing attack mechanisms, and forming behavioral profiles of cybercriminals. The proposed approach can be used in the practice of investigating cybercrimes, as well as to improve the efficiency of cyber threat detection and analysis systems.