Identifying Volatile Data from Multiple Memory Dumps in Live Forensics
نویسندگان
چکیده
One of the core components of live forensics is to collect and analyze volatile memory data. Since the dynamic analysis of memory is not possible, most live forensic approaches focus on analyzing a single snapshot of a memory dump. Analyzing a single memory dump raises questions about evidence reliability; consequently, a natural extension is to study data from multiple memory dumps. Also important is the need to differentiate static data from dynamic data in the memory dumps; this enables investigators to link evidence based on memory structures and to determine if the evidence is found in a consistent area or a dynamic memory buffer, providing greater confidence in the reliability of the evidence. This paper proposes an indexing data structure for analyzing pages from multiple memory dumps in order to identify static and dynamic pages.
منابع مشابه
De-Anonymizing Live CDs through Physical Memory Analysis
Traditional digital forensics encompasses the examination of data from an offline or “dead” source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a serious problem for this investigative model, howe...
متن کاملLive Memory Acquisition for Windows Operating Systems:
Cover Page and Abstract Tools and Techniques for Analysis The live acquisition of volatile memory (RAM) is an area in digital forensics that has not garnered much attention until most recently. The importance of the contents of physical memory has always taken a back seat to what is considered more important – the contents of physical media. However, a great deal of information can be acquired ...
متن کاملForensics Evaluation of Privacy of Portable Web Browsers
Browsers claim private mode browsing saves no data on the host machine. Most popular web browsers also offer portable versions of their browsers which can be launched from a removable device. When the removable device is removed, it is claimed that traces of browsing activities will be deleted and consequently private portable browsers offer better privacy. This makes the task of computer foren...
متن کاملBodySnatcher: Towards Reliable Volatile Memory Acquisition by Software
Recently there has been a surge in interest in memory forensics: the acquisition and analysis of the contents of physical memory obtained from live hosts. The emergence of kernel level rootkits, anti-forensics, and the threat of subversion that they pose threatens to undermine the reliability of such memory images and digital evidence in general. In this paper we propose a method of acquiring t...
متن کاملVolatools: Integrating Volatile Memory Forensics into the Digital Investigation Process
In this work, we demonstrate the integral role of volatile memory analysis in the digital investigation process and how that analysis can be used to help address many of the challenges facing the digital forensics community. We also provide a look at some of the shortcomings of existing approaches to live response. Finally, we provide the technical details for extracting in-memory cryptographic...
متن کامل