Digital Imaging and Communication System (DICOM) is widely used throughout the public health sector for portability in medical imaging. However, these DICOM files have vulnerabilities present in the preamble section. Successful exploitation of these vulnerabilities can allow attackers to embed executable codes in the 128-Byte preamble of DICOM files. Embedding the malicious executable will not interfere with the readability or functionality of DICOM imagery. However, it will affect the underline system silently upon viewing these files. This paper shows the infiltration of Windows malware executables into DICOM files. On viewing the files, the malicious DICOM will get executed and eventually infect the entire hospital network through the radiologist's workstation. The code injection process of executing malware in DICOM files affects the hospital networks and workstations' memory. Memory forensics for the infected radiologist's workstation is crucial as it can detect which malware disrupts the hospital environment, and future detection methods can be deployed. In this paper, we consider the machine learning (ML) algorithms to conduct memory forensics on three memory dump categories: Trojan, Spyware, and Ransomware, taken from the CIC-MalMem-2022 dataset. We obtain the highest accuracy of 75\% with the Random Forest model. For estimating the feature importance for ML model prediction, we leveraged the concept of Shapley values.

翻译：数字成像与通信系统（DICOM）在公共卫生领域被广泛用于医学影像的便携性传输。然而，这些DICOM文件的前导部分存在漏洞。成功利用这些漏洞可使攻击者将可执行代码嵌入DICOM文件的128字节前导区。嵌入恶意可执行代码不会影响DICOM图像的可读性或功能性，但在查看这些文件时会静默影响底层系统。本文展示了Windows恶意软件可执行文件对DICOM文件的渗透过程。当查看这些文件时，恶意DICOM文件将被执行，并最终通过放射科工作站感染整个医院网络。在DICOM文件中执行恶意软件的代码注入过程会影响医院网络及工作站的存储器。对受感染放射科工作站进行内存取证至关重要，因为这能检测出干扰医院环境的恶意软件类型，从而部署后续检测方法。本文采用机器学习（ML）算法对源自CIC-MalMem-2022数据集的三类内存转储（特洛伊木马、间谍软件和勒索软件）进行内存取证。使用随机森林模型获得了75%的最高准确率。为估算ML模型预测中的特征重要性，我们利用了沙普利值的概念。