Automated Windows Memory File Extraction for Cyber Forensics Investigation
Journal of Digital Forensic Practice
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Forensic memory analysis: From stack and code to execution history
Digital Investigation: The International Journal of Digital Forensics & Incident Response
BodySnatcher: Towards reliable volatile memory acquisition by software
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Searching for processes and threads in Microsoft Windows memory dumps
Digital Investigation: The International Journal of Digital Forensics & Incident Response
A hardware-based memory acquisition procedure for digital investigations
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Investigating the PROCESS block for memory analysis
ACS'11 Proceedings of the 11th WSEAS international conference on Applied computer science
Hi-index | 0.00 |
Forensic analysis of physical memory is gaining good attention from experts in the community especially after recent development of valuable tools and techniques. Investigators find it very helpful to seize physical memory contents and perform post-incident analysis of this potential evidence. Most of the research carried out focus on enumerating processes and threads by accessing memory resident objects. To collect case-sensitive information from the extracted memory content, the existing techniques usually rely on string matching. The most important contribution of the paper is a new technique for extracting sensitive information from physical memory. The technique is based on analyzing the call stack and the security sensitive APIs. It allows extracting sensitive information that cannot be extracted by string matching-based techniques. In addition, the paper leverages string matching to get a more reliable technique for analyzing and extracting what we called ''application/protocol fingerprints''. The proposed techniques and their implementation target the machines running under the Windows XP (SP1, SP2) operating system.