Live Memory Acquisition for Windows Operating Systems:
نویسنده
چکیده
Cover Page and Abstract Tools and Techniques for Analysis The live acquisition of volatile memory (RAM) is an area in digital forensics that has not garnered much attention until most recently. The importance of the contents of physical memory has always taken a back seat to what is considered more important – the contents of physical media. However, a great deal of information can be acquired from RAM analysis which is unavailable during most typical forensic acquisition and analysis. This paper will take a look at the different tools available to the forensic examiner for memory acquisition and how to analyze the resulting data.
منابع مشابه
BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software
Recently there has been a surge in interest in memory forensics: the acquisition and analysis of the contents of physical memory obtained from live hosts. The emergence of kernel level rootkits, anti-forensics, and the threat of subversion that they pose threatens to undermine the reliability of such memory images and digital evidence in general. In this paper we propose a method of acquiring t...
متن کاملEvaluating atomicity, and integrity of correct memory acquisition methods
With increased use of forensic memory analysis, the soundness of memory acquisition becomes more important. We therefore present a black box analysis technique in which memory contents are constantly changed via our payload application with a traceable access pattern. This way, given the correctness of a memory acquisition procedure, we can evaluate its atomicity and one aspect of integrity as ...
متن کاملObfuscating Live Computer Forensic Investigative Process on a Windows 7 Operating System: A Criminals Perspective
Live forensic investigation is conducted when the computer system is turned on whilst the data is gathered in a forensically sound manner, from the physical memory, in the form of evidence. As time progressed, criminals have been developing methodologies by which live analysis could be defeated. One such method implemented by the criminals is that of a rookit being installed on the victim'...
متن کاملLive Memory Acquisition through FireWire
Although FireWire-based memory acquisition method has been introduced for several years, the methodologies are not discussed in detail and still lack of practical tools. Besides, the existing method is not working stably when dealing with different versions of Windows. In this paper, we try to compare different memory acquisition methods and discuss their virtues and disadvantages. Then, the me...
متن کاملAcquisition of Network Connection Status Information from Physical Memory on Windows Vista Operating System
A method to extract information of network connection status information from physical memory on Windows Vista operating system is proposed. Using this method, a forensic examiner can extract accurately the information of current TCP/IP network connection information, including IDs of processes which established connections, establishing time, local address, local port, remote address, remote p...
متن کامل