Acquisition of Network Connection Status Information from Physical Memory on Windows Vista Operating System
نویسندگان
چکیده
A method to extract information of network connection status information from physical memory on Windows Vista operating system is proposed. Using this method, a forensic examiner can extract accurately the information of current TCP/IP network connection information, including IDs of processes which established connections, establishing time, local address, local port, remote address, remote port, etc., from a physical memory on Windows Vista operating system. This method is reliable and efficient. It is verified on Windows Vista, Windows Vista SP1, Windows Vista SP2.
منابع مشابه
Windows Operating System Agnostic Memory Analysis
Memory analysis is an integral part of any computer forensic investigation, providing access to volatile data not found on a drive image. While memory analysis has recently made significant progress, it is still hampered by hard-coded tools that cannot generalize beyond the specific operating system and version they were developed for. This paper proposes using the debug structures embedded in ...
متن کاملNetwork Connections Information Extraction of 64-Bit Windows 7 Memory Images
Memory analysis technique is a key element of computer live forensics, and how to get status information of network connections is one of the difficulties of memory analysis and plays an important roles in identifying attack sources. It is more difficult to find the drivers and get network connections information from a 64-bit win7 memory image file than its from a 32-bit operating system memor...
متن کاملPerformance Evaluation of Recent Windows Operating Systems
The primary goal of most OSs (Operating Systems) is the efficient use of computer systems software and hardware resources. Since Windows OSs are most widely used OS for personal computers, they need to satisfy needs of all different kind of computer systems users. In comparison with Windows XP, new versions of the Windows OS; namely Windows Vista and Windows 7, introduce a number of new feature...
متن کاملCyber Dumpster-Diving: $Recycle.Bin Forensics for Windows 7 and Windows Vista
Analysis of deleted files often provides useful information for the forensic computer examiner. Knowing where to find the deleted files, and how to interpret the metadata associated with the file’s deletion, make up the cornerstone of a successful forensic computer examination. Much like an office trash-can, the Microsoft Windows Recycle Bin is a temporary holding container for files that have ...
متن کاملForensic Carving of Network Packets and Associated Data Structures
Using validated carving techniques, we show that popular operating systems (e.g. Windows, Linux, and OSX) frequently have residual IP packets, Ethernet frames, and associated data structures present in system memory from long-terminated network traffic. Such information is useful for many forensic purposes including establishment of prior connection activity and services used; identification of...
متن کامل