Enhancement of Forensic Computing Investigations through Memory Forensic Techniques

Simon, Matthew; Slay, Jill

doi:10.1109/ares.2009.119

Cited by 15 publications

(7 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A theoretical discussion of RAM forensics tools, techniques and guidelines can be found in [4], [16] and [2]. The authors provide a comprehensive discussion of the way physical memory works in Windows and Linux operating systems as well as the types of data that can be extracted from physical memory.…”

Section: Literature Reviewmentioning

confidence: 99%

Analysis of Privacy of Private Browsing Mode through Memory Forensics

Ghafarian¹,

Hosseini²

2015

IJCA

View full text Add to dashboard Cite

Most popular web browsers support private browsing mode. It is claimed that private browsing mode protects privacy by leaving no trace of surfing activities behind. Yet it poses a great challenge to the computer forensics investigators who try to reconstruct the past browsing history, in case of any computer incidence. The aim of this research is to use volatile memory forensics methodologies and tools to examine the artifacts left in main memory after a private browsing session. To achieve this goal, it first presents a memory forensics framework that will help the investigators to effectively capture and analyze memory associated with private browsing with respect to incidence response. It then uses the framework to experimentally capture and analyze the memory, for its evidential potential related to private browsing using Firefox, Google Chrome, IE and Safari. We also report the degree of privacy offered by the browsers under study.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Analysis of Privacy of Private Browsing Mode through Memory Forensics

Ghafarian¹,

Hosseini²

2015

IJCA

View full text Add to dashboard Cite

show abstract

“…In addition, techniques to protect the privacy of users and confidentiality of user data, such as encryption and password protection, have also indirectly provided counter forensics means to technologically aware criminals. Therefore, conventional forensic methods are no longer adequate and more research efforts have been placed in live memory forensic analysis of computer systems (Carrier and Grand, 2004;Adelstein, 2006;Petroni et al, 2006;Schatz, 2007;Kiley et al, 2008;Simon and Slay, 2009) in recent years to complement or enhance the former methods.…”

Section: Introductionmentioning

confidence: 99%

Live memory forensics of mobile phones

Thing

Chang

2010

Digital Investigation

100

View full text Add to dashboard Cite

Volatile memoryMobile phones Android a b s t r a c tIn this paper, we proposed an automated system to perform a live memory forensic analysis for mobile phones. We investigated the dynamic behavior of the mobile phone's volatile memory, and the analysis is useful in real-time evidence acquisition analysis of communication based applications. Different communication scenarios with varying parameters were investigated. Our experimental results showed that outgoing messages (from the phone) have a higher persistency than the incoming messages. In our experiments, we consistently achieved a 100% evidence acquisition rate with the outgoing messages. For the incoming messages, the acquisition rates ranged from 75.6% to 100%, considering a wide range of varying parameters in different scenarios. Hence, in a more realistic scenario where the parties may occasionally take turns to send messages and consecutively send a few messages, our acquisition can capture most of the data to facilitate further detailed forensic investigation.

show abstract

“…Because memory contains a large number of computer operation information, such as running process, loading module and link library, user name and password, email address and web site, each process open files, etc [9][10][11][12][13][14][15][16][17][18][19]. Memory forensics is particularly important, because the system of physical memory contains lots of useful information, such as running process, when created, by whom created and the process have what special activities, the status of the system network, the user information, etc.…”

Section: Introductionmentioning

confidence: 99%

Memory dump and forensic analysis based on virtual machine

Liu¹,

Wang²,

Shuhui³

et al. 2014

2014 IEEE International Conference on Mechatronics and Automation

View full text Add to dashboard Cite

A memory dump and forensic analysis algorithm is proposed based on virtual machine in the paper, including the virtual machine process search module, virtual machine memory dump module and virtual machine memory forensics analysis modules. First of all, the virtual machine process search module by traversal searching all the running processes in system, according to the process owner user to identify the process of the virtual machine. And then, using the virtual machine memory dump module to dump the memory of the virtual machine process and the memory files is occupied. Finally, using the memory forensics analysis module to analyze accessed memory files, obtain evidence of the virtual machine information, such as process information, network information, user information, etc. This method can neither rewriting memory of the virtual machine and the system, ensure the integrity and efficiency of the virtual machine memory and forensic analysis, at the same time the dump memory files can be repeated analysis, guarantee the credibility of forensic results.

show abstract

Enhancement of Forensic Computing Investigations through Memory Forensic Techniques

Cited by 15 publications

References 15 publications

Analysis of Privacy of Private Browsing Mode through Memory Forensics

Analysis of Privacy of Private Browsing Mode through Memory Forensics

Live memory forensics of mobile phones

Memory dump and forensic analysis based on virtual machine

Contact Info

Product

Resources

About