Volatile memory collection and analysis for windows mission-critical computer systems

International Journal of Digital Crime and Forensics

Volumn 1, Issue 3, 2009, Pages 42-61

  Savoldi, Antonio ^a   Gubian, Paolo ^a  

^a UNIVERSITY OF BRESCIA   (Italy)

Author keywords

Blurriness; Live forensic analysis; Page file collection; Ram collection; Volatile memory analysis; Volatile memory integrity

Indexed keywords

DIGITAL STORAGE; WINDOWS OPERATING SYSTEM;

BLURRINESS; CONTINUITY OF SERVICES; DIGITAL INVESTIGATION; LIVE FORENSICS; SERVICE INTERRUPTION; STATE-OF-THE-ART APPROACH; SYSTEM INFRASTRUCTURE; VOLATILE MEMORY;

COMPUTER OPERATING SYSTEMS;

EID: 67649925950     PISSN: 19416210     EISSN: 19416229     Source Type: Journal    
DOI: 10.4018/jdcf.2009070103     Document Type: Article

References (22)

1. Adams, K., & Algesen, O. (2006). A Comparison of Software and Hardware Techniques for x86 Virtualization, In J.P. Shen (Ed.), 12th International Conference on Architectural Supportfor Programming Languages and Operating Systems (pp. 2-13). New York, NY: ACM Press.
2. th International Ruxcon Conference. Retrieved September 20, 2008, from http://www.ruxcon.orrg.au/files/2006/firewire-attacks.pdf
3. Carrier, B., & Grand, J. (2004). A Hardware- Based Memory Acquisition Procedure for Digital Investigations. Digital Investigation, 1(1), 50-60.
4. Carrier, B. (2005). File System Forensic Analy- sis. Upper Saddle River, NJ: Addison Wesley.
5. Carrier, B. (2008). SleuthKit, Retrieved September 20, 2008, from http://www.sleuthkit.org/.
6. Chisum, W.J., & Turvey, B. (2000). Evidence Dynamics: Locard's Exchange Principle and Crime Reconstruction, Journal of Behavioral Profiling, 1(1).
7. rd USENIX Workhop on Hot Topics in Security. Retrieved September 20, 2008, from http://www.usenix.org/events/hotsec08/tech/
8. Encase (2008), Retrieved September 20, 2008, from http://www. guidancesoftware.com/.
9. Garner, G. M. (2008). Forensic Acquisition Utilities. Retrieved September 20, 2008, from http://www.gmgsystemsinc.com/fau/.
10. th Usenix Security Symposium. San Jose, CA. Retrieved September20, 2008, from http://citp.princeton.edu/pub/coldboot.pdf
11. Kornblum, J. (2007). Using Every Part of the Buffalo in Windows Memory Analysis. Digital Investigation, 4(1), 24-29.
12. Lee, S., Savoldi, A., Lee, S., & Lim, J. (2007a). Windows Page file Collection and Analysis for a Live Forensic Context. In Future Generation Communication and Networking (pp. 97-101). Jeju Island, Korea: IEEE Computer Society.
13. rd Intelligent Information Hiding and Multime- dia Signal Processing (pp. 93-97). Kaohsiung, TW: IEEE Computer Society.
14. Li, K., & Hudak, P. (1989). Memory Coherence in Shared Virtual Memory System. ACM Transaction on Computer System, 7(4), 321-359. (Pubitemid 20637608)
15. Palmer, G. (2001). A Roadmap for Digital Forensic Research (Technical Report DTR-T001- 01). Utica, NY: Air Force Research Laboratory. Retrieved September 20, 2008, from http://www.dfrws.org/2001/dfrws-rm-final.pdf
16. Petroni, N., Walters, A., Fraser, T., & Arbaugh, W. (2006). FATkit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory. Digital Investigation, 3(4), 197-210.
17. Russinovich, M., & Solomon, D. (2004). Microsoft Windows Internals, Microsoft Press. Redmond, WA: Microsoft Press.
18. Rutkowska, J. (2007). Beyond The CPU: Defeating Hardware Based RAM Acquisition Tools (Part I: AMD case). Black Hat Conference. Retrieved March 1, 2008, from http://in-visiblethings.org/papers.html.
19. th Annual Digital Forensic Research Workshop (pp. 126-134). Pittsburgh, PA: Elsevier.
20. th Annual Digital Forensic Research Workshop (pp. 10-16). Lafayette, IN: Elsevier.
21. Silberschatz, A., Galvin, P.B., & Gagne, G. (2007). Operating System Concepts. Hoboken, NJ: John Wiley & Sons.
22. X-Ways Forensic (2008), Retrieved September 20, 2008, from http://www.x-ways.net/.