Computer and Network Forensics

Sitaraman, S.; Venkatesan, S.

doi:10.4018/978-1-59140-872-7.ch003

Cited by 3 publications

(1 citation statement)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Second, attackers reach the compromised system, collect confidential data, and delete trace outs. Network forensics must be conducted at live data communication to address these problems [ 65 ]. However, this approach incorporates the overheads of highly computational processors, I/O devices, and large storage devices for collecting, analyzing, and storing real-time network traffic.…”

Section: Introductionmentioning

confidence: 99%

A Comprehensive Review on Adaptability of Network Forensics Frameworks for Mobile Cloud Computing

Khan

Shiraz

Wahab

et al. 2014

The Scientific World Journal

View full text Add to dashboard Cite

Network forensics enables investigation and identification of network attacks through the retrieved digital content. The proliferation of smartphones and the cost-effective universal data access through cloud has made Mobile Cloud Computing (MCC) a congenital target for network attacks. However, confines in carrying out forensics in MCC is interrelated with the autonomous cloud hosting companies and their policies for restricted access to the digital content in the back-end cloud platforms. It implies that existing Network Forensic Frameworks (NFFs) have limited impact in the MCC paradigm. To this end, we qualitatively analyze the adaptability of existing NFFs when applied to the MCC. Explicitly, the fundamental mechanisms of NFFs are highlighted and then analyzed using the most relevant parameters. A classification is proposed to help understand the anatomy of existing NFFs. Subsequently, a comparison is given that explores the functional similarities and deviations among NFFs. The paper concludes by discussing research challenges for progressive network forensics in MCC.

show abstract

Section: Introductionmentioning

confidence: 99%

A Comprehensive Review on Adaptability of Network Forensics Frameworks for Mobile Cloud Computing

Khan

Shiraz

Wahab

et al. 2014

The Scientific World Journal

View full text Add to dashboard Cite

show abstract

Challenges Facing Information Systems Security Management in Higher Learning Institutions: A Case Study of the Catholic University of Eastern Africa - Kenya

Okibo

Ochiche²

2014

International Journal of Management Excellence

View full text Add to dashboard Cite

show abstract

Development of Kernel Mode RAM Driver for RAM Image on Windows

Süzen

Taşdelen

Küçüksille

2019

Süleyman Demirel Üniversitesi Fen Bilimleri Enstitüsü Dergisi

View full text Add to dashboard Cite

In the field of computer forensics live analysis through immediate intervention is an important way of gathering electronic evidence. The way to obtain evidence from volatile data using live analysis is to take an image of the RAM (Random Access Memory). The entire RAM has to be copied in order to import data from this image. However, since the user mode is the default mode in Windows operating systems only the running processes can be accessed. Therefore, RAM imaging software needs to work at Kernel Mode level. In this study, a RAM driver was developed using WDK (Window Driver Kit) to enable RAM imaging software to run in Kernel Mode. The developed driver works on Windows 8, 8.1 and 10 (32 bit and 64 bit) operating systems. Virtual addresses, physical addresses and table pages for RAM can be accessed using the developed RAM driver. In this way, image acquisition software using this driver is able to carry out bit-to-bit copying of RAM. In addition, a program to import a RAM image in c ++ using this driver has also been developed. When the image retrieval software is installed in RAM it occupies a meager 156 KB of space. Compared to the existing image acquisition software, the developed RAM driver and software seem to use the least RAM. In addition, there are no examples of Kernel Mode RAM Drivers developed using WDK in the literature. Windows'da RAM İmajı için Kernel Mode RAM SürücüsüAnahtar Kelimeler C++, Çekirdek mod sürücü, Hafıza adli bilişimi, RAM mimarisi Özet: Adli bilişim alanındaki elektronik delil etme sürecinde, ilk müdahale ile canlı analiz önemli bir yer tutmaktadır. Canlı analiz ile uçucu verilerden delil elde etme, RAM (Random Access Memory) 'in imajı alınarak gerçekleştirilir. Alınan imajdan veri kazımak için RAM' in tamamının kopyalanması gerekmektedir. Fakat Windows işletim sisteminde default olarak User-Mode kullanıldığı için sadece çalışan process'lere erişilebilmektedir. Bu nedenle RAM imajı yazılımlarının Kernel-Mode seviyesinde çalışması gerekmektedir. Bu çalışmada, RAM imajı yazılımlarının Kernel-Mode'da çalışabilmesi için WDK (Window Driver Kit) ile RAM sürücüsü geliştirilmiştir. Geliştirilen sürücü, Windows 8, 8.1 ve 10 (32 bit ve 64 bit) işletim sistemlerinde çalışmaktadır. Geliştirilen RAM sürücü aracılığıyla RAM'in sanal adreslerine, fiziksel adreslerine ve tablo sayfalarına erişilebilmektedir. Böylece sürücüyü kullanan imaj alma yazılımların, RAM'i bit-tobit kopyalamasına imkân sağlanmaktadır. Ayrıca, bu sürücü kullanarak c++ dilinde bir ram imajı alma programı geliştirilmiştir. İmaj alma yazılımı RAM'e yüklendiğinde 156 KB'lık yer kaplamaktadır. Geliştirilen RAM sürücüsü ve yazılımının, imaj alma yazılımları arasında RAM'ı en az kullandığı görülmektedir. Ayrıca literatürde WDK ile geliştirilen Kernel Mode RAM sürücüsü hakkında çalışma bulunmamaktadır.

show abstract

Computer and Network Forensics

Cited by 3 publications

References 0 publications

A Comprehensive Review on Adaptability of Network Forensics Frameworks for Mobile Cloud Computing

A Comprehensive Review on Adaptability of Network Forensics Frameworks for Mobile Cloud Computing

Challenges Facing Information Systems Security Management in Higher Learning Institutions: A Case Study of the Catholic University of Eastern Africa - Kenya

Development of Kernel Mode RAM Driver for RAM Image on Windows

Contact Info

Product

Resources

About