Name
Abstract | ||
|---|---|---|
In digital forensics, the first step to conducting an investigation is to acquire evidence that is most related to the case. Containing most recently accessed data and information about the status of a system, physical memory is a valuable source of digital evidence. When a process runs or accesses a file, all or some parts of the process's executable or accessed data file are mapped into the physical memory. In this article, we propose various methods to find files and extract them from memory in order to rebuild executable and data files that existed in physical memory at the time of incident. We developed a memory analysis plug-in that uses this automated memory file extraction. Using this tool, we have been able to extract a wide range of data file types, including text, PDF, Java Archives (JAR), various logs, EVT (system event-log files, used by the system event viewer), HTML and many more. Investigators can use the result of this research in order to (1) compare the files found on disk with those extracted from memory to find possible tampering or (2) reconstruct those files that no longer exist on the disk. In addition, they can find the last file modifications that have not been mapped out to the corresponding files on the disk. Memory extracted files can be used for the purpose of correlation analysis along with other sources of evidence such as application or network log files, E-mail files, and data files found on disks. |
Year | DOI | Venue |
|---|---|---|
2008 | 10.1080/15567280802552829 | J. Digital Forensic Practice |
Keywords | Field | DocType |
file extraction,automated windows memory,network log file,system event-log file,cyber forensics investigation,corresponding file,automated memory file extraction,physical memory,e-mail file,last file modification,accessed data,memory analysis,data file,digital forensics | File Control Block,Flash file system,Computer security,Computer science,Unix file types,Data file,Memory-mapped file,File synchronization,File system fragmentation,Database,Computer file | Journal |
Volume | Issue | Citations |
2 | 3 | 1 |
PageRank | References | Authors |
0.42 | 10 | 3 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Seyed Mahmood Hejazi | 1 | 1 | 0.75 |
| Mourad Debbabi | 2 | 1467 | 144.47 |
| chamseddine talhi | 3 | 192 | 23.98 |