Forensic Discovery
Shredding your garbage: reducing data lifetime through secure deallocation
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
User data persistence in physical memory
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Searching for processes and threads in Microsoft Windows memory dumps
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Treasure and tragedy in kmem_cache mining for live forensics investigation
Digital Investigation: The International Journal of Digital Forensics & Incident Response
The impact of the antivirus on the digital evidence
International Journal of Electronic Security and Digital Forensics
| Hi-index | 0.00 |
An image of a computer's physical memory can provide a forensic examiner with a wealth of information. A small area of system memory, the nonpaged pool, contains lots of information about currently and formerly active processes. As this paper shows, more than 90% of such information can be retrieved even 24h after process termination under optimum conditions. Great care must be taken as the acquisition process usually affects the memory contents to be acquired. In order minimize the impact on volatile data, this paper for the first time analyzes the pool allocation mechanism of the Microsoft Windows operating system. It describes a test arrangement, which allows to obtain a time series of physical memory images, while it also reduces the effect on the observed operating system. Using this environment it was found that allocations from the nonpaged pool are reused based on their size and a last in-first out schedule. In addition, a passive memory compaction strategy may apply. So, the creation of a new object is likely to eradicate the evidence of an object of the same class that was destructed just before. The paper concludes with a discussion of the implications for incident response procedures, forensic examinations, and the creation of forensic tools.