A Method of Extracting Picture in Memory

Memory forensics can provide crucial evidence or further investigation clues, it also has a direct connection with field investigation. Image is a common and intuitive way to express information, and has direct effect as evidence. This article analyzes the characteristics of common image formats (BMP, PNG, JPEG, GIF) data stored in the memory and summarizes some rules of extracting the picture data. On this basis, the article proposed a method of extracting picture data from the memory image. The experimental results show that picture data can be accurately recovered from the image.

[1]  Xiaojiang Chen,et al.  2009 Fifth International Conference on Information Assurance and Security , 2009 .

[2]  Funminiyi Olajide,et al.  A study of application level information from the volatile memory of Windows computer systems , 2011 .

[3]  Giuseppe Cattaneo,et al.  A Forensic Analysis of Images on Online Social Networks , 2011, 2011 Third International Conference on Intelligent Networking and Collaborative Systems.

[4]  Lianhai Wang,et al.  Windows Memory Analysis Based on KPCR , 2009, 2009 Fifth International Conference on Information Assurance and Security.