Digital Imaging and Communication System (DICOM) is widely used throughout the public health sector for portability in medical imaging. However, these DICOM files have vulnerabilities present in the preamble section. Successful exploitation of these vulnerabilities can allow attackers to embed executable codes in the 128-Byte preamble of DICOM files. Embedding the malicious executable will not interfere with the readability or functionality of DICOM imagery. However, it will affect the underline system silently upon viewing these files. This paper shows the infiltration of Windows malware executables into DICOM files. On viewing the files, the malicious DICOM will get executed and eventually infect the entire hospital network through the radiologist's workstation. The code injection process of executing malware in DICOM files affects the hospital networks and workstations' memory. Memory forensics for the infected radiologist's workstation is crucial as it can detect which malware disrupts the hospital environment, and future detection methods can be deployed. In this paper, we consider the machine learning (ML) algorithms to conduct memory forensics on three memory dump categories: Trojan, Spyware, and Ransomware, taken from the CIC-MalMem-2022 dataset. We obtain the highest accuracy of 75% with the Random Forest model. For estimating the feature importance for ML model prediction, we leveraged the concept of Shapley values.

翻译：数字成像与通信系统（DICOM）因其在医学影像中的便携性而被公共卫生领域广泛采用。然而，这些DICOM文件的前导部分存在安全漏洞。成功利用这些漏洞可使攻击者将可执行代码嵌入到DICOM文件的128字节前导中。嵌入恶意可执行文件不会干扰DICOM图像的可读性或功能性，但查看这些文件时会暗中影响底层系统。本文展示了Windows恶意软件可执行文件向DICOM文件的渗透过程。当查看这些文件时，恶意DICOM会被执行，并最终通过放射科工作站感染整个医院网络。DICOM文件中恶意软件的注入过程会影响医院网络和工作站的内存。对受感染放射科工作站进行内存取证至关重要，因为它能检测出破坏医院环境的恶意软件类型，并可部署未来检测方法。本文采用机器学习（ML）算法对CIC-MalMem-2022数据集中的三类内存转储（木马、间谍软件和勒索软件）进行内存取证分析。使用随机森林模型获得了75%的最高准确率。为估算ML模型预测中的特征重要性，我们利用了沙普利值的概念。