论文信息 - Identifying Volatile Data from Multiple Memory Dumps in Live Forensics

Identifying Volatile Data from Multiple Memory Dumps in Live Forensics

One of the core components of live forensics is to collect and analyze volatile memory data. Since the dynamic analysis of memory is not possible, most live forensic approaches focus on analyzing a single snapshot of a memory dump. Analyzing a single memory dump raises questions about evidence reliability; consequently, a natural extension is to study data from multiple memory dumps. Also important is the need to differentiate static data from dynamic data in the memory dumps; this enables investigators to link evidence based on memory structures and to determine if the evidence is found in a consistent area or a dynamic memory buffer, providing greater confidence in the reliability of the evidence. This paper proposes an indexing data structure for analyzing pages from multiple memory dumps in order to identify static and dynamic pages.

[1] Ali Reza Arasteh,et al. Forensic memory analysis: From stack and code to execution history , 2007, Digit. Investig..

[2] Frans Henskens,et al. Persistent systems techniques in forensic acquisition of memory , 2007, Digit. Investig..

[3] Dan Farmer,et al. Forensic Discovery , 2004 .

[4] K. P. Chow,et al. Consistency Issue on Live Systems Forensics , 2007, Future Generation Communication and Networking (FGCN 2007).

[5] W. Alink,et al. Forensic memory analysis: Files mapped in memory , 2008, Digit. Investig..

[6] Gabriela Limon Garcia,et al. Forensic physical memory analysis : an overview of tools and techniques , 2007 .

[7] Thomas W. Reps,et al. Improved Memory-Access Analysis for x86 Executables , 2008, CC.

[8] Theodore Tryfonas,et al. Acquiring volatile operating system data tools and techniques , 2008, OPSR.

[9] Thomas W. Reps,et al. Analyzing Memory Accesses in x86 Executables , 2004, CC.

[10] William A. Arbaugh,et al. FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[11] Andreas Schuster,et al. Searching for processes and threads in Microsoft Windows memory dumps , 2006, Digit. Investig..

[12] D CarrierBrian,et al. A hardware-based memory acquisition procedure for digital investigations , 2004 .

[13] Joe Grand,et al. A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..