论文信息 - Extracting Forensic Artifacts from Windows O/S Memory

Extracting Forensic Artifacts from Windows O/S Memory

Abstract : Memory analysis is a rapidly growing area in both digital forensics and cyber situational awareness (SA). Memory provides the most accurate snapshot of what is occurring on a computer at a moment in time. By combining it with event and network logs as well as the files present on the filesystem, an analyst can re-create much of what has occurred and is occuring on a computer. The Compiled Memory Analysis Tool (CMAT) takes either a disk image of memory from a Windows operating system or an interface into a virtual machine running a Windows operating system and extracts forensic artifacts including general system information, loaded system modules, the active processes, the files and registry keys accessed by those processes, the network connections established by the processes, the dynamic link libraries loaded by the processes, and the contents of the Windows clipboard. Operators and investigators can either take these artifacts and analyze them directly or use them as input into more complex cyber SA and digital forensics analysis tools.

James S. Okolica | Gilbert L. Peterson

[1] Andreas Schuster,et al. Searching for processes and threads in Microsoft Windows memory dumps , 2006, Digit. Investig..

[2] James S. Okolica,et al. Windows operating systems agnostic memory analysis , 2010 .

[3] James S. Okolica,et al. A Compiled Memory Analysis Tool , 2010, IFIP Int. Conf. Digital Forensics.

[4] James S. Okolica,et al. Windows driver memory analysis: A reverse engineering methodology , 2011, Comput. Secur..

[5] James S. Okolica,et al. Simulating windows-based cyber attacks using live virtual machine introspection , 2010, SummerSim.

[6] Sven B. Schreiber. Undocumented Windows 2000 Secrets: A Programmer's Cookbook , 2001 .

[7] James S. Okolica,et al. Extracting the windows clipboard from physical memory , 2011 .

[8] Brendan Dolan-Gavitt,et al. Forensic analysis of the Windows registry in memory , 2008, Digit. Investig..

[9] Eoghan Casey,et al. Extracting Windows command line details from physical memory , 2010 .

[10] Nick L. Petroni,et al. Volatools : Integrating Volatile Memory Forensics into the Digital Investigation Process , 2007 .