# V8 Memory Forensics Plugin Data Analysis
#### Notebook Created By: Samuel Zurowski @ University of New Haven
#### GitHub Repository: https://github.com/unhcfreg/V8-Memory-Forensics-Plugins

All Memory images used for data analysis were V8_[0-10]_objects.vmem. This data was generated into a csv which is loaded in this notebook.

In [None]:
# Libraries required for this Notebook
import numpy as np
import pandas as pd

from matplotlib import pyplot as plt
%matplotlib inline

import seaborn as sns

## Load CSV V8 Plugin Data

In [None]:
# Load data dataset loaded in custom folder of repo.
data_set = pd.read_csv("custom/custom_v8_objects.csv")

In [None]:
# Test Querying the Data
data_set[(data_set.num_type == 2)].sort_values("num_user_created_objs")

### Looking at correlation for each Instance Type

In [None]:

for num_type in data_set['num_type'].unique():
    check_corr = data_set[(data_set.num_type == num_type)].sort_values("num_user_created_objs")

    # remove GC'ed data so we can have better correlation
    check_corr = check_corr[(check_corr.num_user_created_objs != 1) & (check_corr.num_user_created_objs != 7)]
    
    check_X = check_corr['num_user_created_objs']
    check_Y = check_corr['total_count_of_type']
    
    corr_of_type = check_X.corr(check_Y)
    if pd.isna(corr_of_type): # don't care if it doesn't have correlation
        continue
    
    print(f"Instance Type: {num_type} correlation: {corr_of_type}")
    

In [None]:
data_set.describe()

# Data Visualization

In [None]:
# This will just show string types.
# Feel free to analyze any of the data
str_types = np.array([0, 2, 8, 10, 18, 26, 32, 33, 34, 35, 37, 40, 41, 42, 43, 45, 50, 58, 64])

# modify total count of type to see lower values and how they are.
modified_data = data_set[data_set.num_type < 65]
# modified_data = data_set

plt.figure(figsize=(15, 15))
sns.set(style="whitegrid", font_scale=2)
lpot = sns.lineplot(x="num_type", y="total_count_of_type", hue="num_user_created_objs", style="num_user_created_objs", 
             markers=True, dashes=False,   data=modified_data, legend="full", palette='Paired')

lpot.legend(title='Count of User Generated Objects', loc='upper right')
lpot.set_title("Increase of User Generated String Discovered Objects")

plt.xlabel("Object Type Number")
plt.ylabel("Total Count of Object Type")
# plt.xticks(str_types)
plt.xticks(rotation=90)

plt.show()

In [None]:
const_one_byte = data_set[(data_set.num_type == 0x421)].sort_values('num_user_created_objs')

const_one_byte

In [None]:
user_created = data_set[(data_set.num_type == 0x421)].sort_values('num_user_created_objs')
user_created

In [None]:
# This is one of the figures from the paper
plt.figure(figsize=(15, 15))
lpot = sns.barplot(x="num_user_created_objs", 
            y="total_count_of_type",
            data=user_created,color='grey')
lpot.set_ylim(2500, 5000)
plt.xlabel("Number of User Objects Created")
lpot.set_title("Count of 0x421 Instance Type Objects")

plt.ylabel("Total Count of Object Type")
plt.xticks(rotation=90)
plt.show()

In [None]:
# showing specific type of constant one byte str 
# example of constant one byte str type

plt.figure(figsize=(15, 15))
lpot = sns.barplot(x="num_user_created_objs", 
            y="total_count_of_type",
            data=const_one_byte)
lpot.set_ylim(300, 10000)
plt.xlabel("Number of User Objects Created")
plt.ylabel("Total Count of Object Type")
plt.xticks(rotation=90)
plt.show()

In [None]:
# ONE_BYTE_INTERNALIZED_STRING_TYPE         
one_byte_internalized = data_set[(data_set.num_type == 8)].sort_values('num_user_created_objs')
one_byte_internalized

In [None]:
# ONE_BYTE_INTERNALIZED_STRING_TYPE                

custom_data = one_byte_internalized[(one_byte_internalized.num_user_created_objs != 1) & (one_byte_internalized.num_user_created_objs != 7)]

plt.figure(figsize=(15, 15))
lpot = sns.barplot(x="num_user_created_objs", 
            y="total_count_of_type",
            data=custom_data, color='grey')
lpot.set_ylim(6040, 6070)
plt.xlabel("Number of User Objects Created")
plt.ylabel("Total Count of Object Type")

lpot.set_title("One Byte Interalized String Type Recovered Objects Count")
# lpot.set_title("Count of 0x421 Instance Type Objects")
plt.xticks(rotation=90)

# ax = ax.set_ylim(5000, 7000)
plt.show()

In [None]:
# fool around with the data here to see what it looks like
# can't really do great analysis by looking at all the values at same time
str_data = data_set[data_set.num_type < 64]
str_data = str_data[str_data.total_count_of_type < 100]

plt.figure(figsize=(30, 8))
lpot = sns.barplot(x="num_type", 
            y="total_count_of_type", 
            hue="num_user_created_objs", 
            data=str_data)
plt.xlabel("Object Type Number")
plt.ylabel("Total Count of Object Type")
plt.xticks(rotation=90)
plt.show()