A Novel Memory Forensics Technique for Windows 10
Subscribe/Renew Journal
Volatile memory forensics, henceforth referred to as memory forensics, is a subset of digital forensics, which deals with the preservation of the contents of memory of a computing device and the subsequent examination of that memory. The memory of a system typically contains useful runtime information. Such memories are volatile, causing the contents of memory to rapidly decay once no longer supplied with power. Using memory forensic techniques, it is possible to extract an image of the system's memory while it is still running, creating a copy that can be examined at a later point in time, even after the system has been turned off and the data contained within the original RAM has dissipated. This paper describe the implementation of the technique that collect volatile artifacts extracted from the RAM dump and Hibernation file of Windows 10 operating system and shows the extracted data of various process of the system.
Keywords
- Rahman, S., & Khan, M. N. A. (2015). Review of live forensic analysis techniques. International Journal of Hybrid Information Technology, 8(2), 379-388.
- Youngsoo, K., Sangsu, L., & Hong, D. (2008). Suspects’ data hiding at remaining registry values of uninstalled programs. In Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop, Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering.
- Singh, A., Sharma, P., & Nath, R. (2016). Role of hibernation file in memory forensics of Windows 10.
- In Vivechana: National Conference on Advances in Computer Science and Engineering (ACSE-2016).
- Wang, L., Zhang, R., & Zhang, S. (2009). A model of computer live forensics based on physical memory analysis. In IEEE Information Science and Engineering (ICISE).
- Kristine, A., & Carlos, C. (2009). Techniques and Tools for Recovering and Analyzing Data from Volatile Memory. Sans Institute Infosec Reading Room.
- Gianni, F., & Solinas, F. (2013). Live Digital Forensics: Windows XP vs Windows 7. In IEEE Informatics and Applications (ICIA), 2013 2nd International Conference.
- Hang, C. H., & Yen, P. H. (2010). Fast deployment of computer forensics with USBs. In IEEE Broadband, Wireless Computing, Communication and Applications (BWCCA).
- Dija, S., Deepthi, T., Balan, C., & Thomas, K. (2012). Towards retrieving live forensic artifacts in offline forensics. In Recent Trends in Computer Networks and Distributed Systems Security, Berlin Heidelberg, Germany, Springer-Verlag, (pp. 225-233).
- Mrdovic, S., & Huseinovic, A. (2011). Forensic analysis of encrypted volumes using hibernation files. In Proceedings of the 19th Telecommunications Forum.
- Gupta, D., & Mehte, B. (2013). Forensic analysis of Sandboxie artifacts. In Security in Computing and Communications, Berlin Heidelberg, Germany, Springer-Verlag, (pp. 341-352).
- Iqbal, A., Obaidli, H. A., Marrington, A., & Jone, A. (2014). Windows Surface RT tablet forensics.
- Digital Investigation, 11(S1), S87-S93.
- Carvey, H. (2014). Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8, Waltham, Massachusetts: Syngress.
- Quick, D., & Choo, K. (2013). Digital droplets: Microsoft SkyDrive forensic data remnants. Future Generation Computer Systems, 29(6), 1378-1394.
- Quick, D., & Choo, K. (2014). Forensic analysis of data remnants. Journal of Network and Computer Applications, 40, 179-193.
- Quick, D., & Choo, K. (2013). Dropbox analysis: Data remnants on user machines. Digital Investigation, 10(1), 3-18.
- Russinovich, M., Solomon, D. A., & Ionescu, A. (2009). Windows Internals, (5th ed), Microsoft Press.
- Schuster, A. (2006). Searching for processes and threads in microsoft windows memory dumps. In The Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS ’06).
- Balogh, S., & Pondelik, M. (2011). Capturing encryption keys for digital analysis. IEEE 6th International Conference on Intelligent Data Acquisition and Advanced Computing Systems (IDAACS), 2.
- Aljaedi, A., Lindskog, D., Zavarsky, P., Ruhl, R., & Almari, F. (2011). Comparative Analysis of Volatile Memory Forensics: Live Response vs. Memory Imaging. In IEEE Privacy, Security, Risk and Trust (PASSAT), IEEE 3rd International Conference on Social Computing.
Abstract Views: 409
PDF Views: 0