Forensic memory analysis: From stack and code to execution history

DFRWS 2007 Annual Conference

Volumn , Issue , 2007, Pages

  Arasteh, Ali Reza ^a   Debbabi, Mourad ^a  

^a Concordia University ^*  (Canada)

Author keywords

Cyber forensics; Physical memory; Process logic; Stack; Thread

Indexed keywords

CYBER FORENSICS; PHYSICAL MEMORY; PROCESS LOGIC; STACK; THREAD;

DATA STRUCTURES;

EID: 84868372495     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1016/j.diin.2007.06.010     Document Type: Conference Paper

References (24)

1. Burdach M. Digital forensics of the physical memory.
2. Betz C. MemParser, 〈http://www.dfrws.org/2005/challenge/memparser. html〉; 2005 [Visited on May 22, 2007].
3. Butler J, Hoglund G. Rootkits: subverting the Windows kernel. Addison-Wesley Professional; July 2005.
4. Debugging tools for Windows,〈http://www.microsoft.com/whdc/devtools/ debugging/default.mspx〉 [Visited on May 22, 2007].
5. Digital Forensic Research Workshop (DFRWS). Memory analysis challenge; 2005.
6. Debbabi M, Adi K, Mejri M. A new logic for electronic commerce protocols. Int J Theor Comput Sci (TCS) 2003;291(3):223-83. (Pubitemid 35460172)
7. Giffin JT. Model based intrusion detection system design and evaluation. PhD thesis; 2006.
8. Gladyshev P, Patel A. Finite state machine approach to digital event reconstruction. Digit Investig J 2004;1(2).
9. Gladyshev P, Patel A. Formalising event time bounding in digital investigations. Digit Investig J 2005;4(2).
10. Garner Jr GM. Kntlist, 〈http://www.dfrws.org/2005/challenge/kntlist. html〉.
11. Hosmer C. Time lining computer evidence, 〈http://www.wetstonetech. com/f/timelining.pdf〉; 1998 [Visited on May 22, 2007].
12. Kruse II WG, Heiser JG. Computer forensics: incident response essentials. Boston, MA: Addison-Wesley; 2002.
13. Kornblum J. Using every part of the buffalo in Windows memory analysis. Digit Investig J January 2007.
14. Leigland R, Krings AW. A formalization of digital forensics. Digit Investig J 2004;3(2).
15. Monroe K, Bailey D. System base-lining: a forensic perspective, 〈http://ftimes.sourceforge.net/Files/Papers/baselining.pdf〉; 2003.
16. Peikari C, Chuvakin A. Security warrior. Sebastopol, CA: O'Reilly; 2004.
17. Schreiber S.UndocumentedWindows2000 secrets: a programmer's cookbook. Addison-Wesley Professional; May 2001.
18. Schuster A. Pool allocations as an information source in Windows memory forensics. In: International conference on IT-incident management & IT-forensics, 2006.
19. Stallard T, Levitt K. Automated analysis for digital forensic science: semantic integrity checking. In: 19th annual computer security applications conference, Las Vegas, NV, USA, December 2003.
20. Stephenson P. Modeling of post-incident root cause analysis. Int Digit Evid 2003;2(2).
21. The IDA pro disassembler and debugger, 〈http://www.datarescue.com/ ida.htm〉 [Visited on May 22, 2007].
22. Tenable Network Security. [Visited on May 22, 2007].
23. Walters A, Petroni N. FATKit: a framework for the extraction and analysis of digital forensics data from volatile system memory.
24. Walters A, Petroni N. Volatools: integrating volatile memory forensics into the digital investigation process. Black Hat DC 2007; February 2007.