On the effectiveness of address-space randomization
Proceedings of the 11th ACM conference on Computer and communications security
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
Mac OS X Internals
Windows Forensic Analysis DVD Toolkit
Windows Forensic Analysis DVD Toolkit
Using every part of the buffalo in Windows memory analysis
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Searching for processes and threads in Microsoft Windows memory dumps
Digital Investigation: The International Journal of Digital Forensics & Incident Response
A hardware-based memory acquisition procedure for digital investigations
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Automated Windows Memory File Extraction for Cyber Forensics Investigation
Journal of Digital Forensic Practice
Investigating the PROCESS block for memory analysis
ACS'11 Proceedings of the 11th WSEAS international conference on Applied computer science
A survey of main memory acquisition and analysis techniques for the windows operating system
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Security and Communication Networks
When hardware meets software: a bulletproof solution to forensic memory acquisition
Proceedings of the 28th Annual Computer Security Applications Conference
Hi-index | 0.00 |
Volatile memory forensics has become increasingly prominent in forensic analysis and incident response. Unfortunately there is currently no forensically sound method of acquiring an image of a system's memory without attaching specialized hardware. This paper proposes the addition of a memory acquisition mechanism to the operating system, thereby removing the need to load an external program. The method minimizes the acquisition's impact on the system's state, as well as making it more difficult for malicious programs to avoid detection or interfere with the memory dump. The risks of allowing a full memory capture and some considerations on how this method would interact with rootkits are also discussed.