Extraction of memory forensic artifacts from windows 7 RAM image

Thomas, Sunu Ann; Sherly, K. K.; Dija, S

doi:10.1109/cict.2013.6558230

Cited by 23 publications

(6 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…(i) While we focus our backend implementation on Linux, NFM's applicability is not limited to a particular OS. Structure-offset extraction and VMI have been shown to work for Mac and Windows as well [5,8,34,44]. Also, their versions are few as compared to Linux, and change slowly.…”

Section: Exploiting Vm Statementioning

confidence: 99%

Non-intrusive, out-of-band and out-of-the-box systems monitoring in the cloud

Suneja

Isci

Bala

et al. 2014

The 2014 ACM International Conference on Measurement and Modeling of Computer Systems

View full text Add to dashboard Cite

The dramatic proliferation of virtual machines (VMs) in datacenters and the highly-dynamic and transient nature of VM provisioning has revolutionized datacenter operations. However, the management of these environments is still carried out using re-purposed versions of traditional agents, originally developed for managing physical systems, or most recently via newer virtualization-aware alternatives that require guest cooperation and accessibility. We show that these existing approaches are a poor match for monitoring and managing (virtual) systems in the cloud due to their dependence on guest cooperation and operational health, and their growing lifecycle management overheads in the cloud.In this work, we first present Near Field Monitoring (NFM), our non-intrusive, out-of-band cloud monitoring and analytics approach that is designed based on cloud operation principles and to address the limitations of existing techniques. NFM decouples system execution from monitoring and analytics functions by pushing monitoring out of the targets systems' scope. By leveraging and extending VM introspection techniques, our framework provides simple, standard interfaces to monitor running systems in the cloud that require no guest cooperation or modification, and have minimal effect on guest execution. By decoupling monitoring and analytics from target system context, NFM provides "always-on" monitoring, even when the target system is unresponsive. NFM also works "out-of-the-box" for any cloud instance as it eliminates any need for installing and maintaining agents or hooks in the monitored systems. We describe the end-toend implementation of our framework with two real-system prototypes based on two virtualization platforms. We discuss the new cloud analytics opportunities enabled by our decoupled execution, monitoring and analytics architecture. We present four applications that are built on top of our framework and show their use for across-time and acrosssystem analytics.

show abstract

Section: Exploiting Vm Statementioning

confidence: 99%

Non-intrusive, out-of-band and out-of-the-box systems monitoring in the cloud

Suneja

Isci

Bala

et al. 2014

The 2014 ACM International Conference on Measurement and Modeling of Computer Systems

View full text Add to dashboard Cite

show abstract

“…The second method is offline acquisition, which has the opposite advantages and disadvantages, but is more universal in a real environment. At present, there are tools [7,13,14] for offline acquisition, such as the dd and windd commands in Linux and Windows, respectively.…”

Section: Related Workmentioning

confidence: 99%

Computer forensic analysis model for the reconstruction of chain of evidence of volatile memory data

Wang

et al. 2015

Multimed Tools Appl

View full text Add to dashboard Cite

Digital forensic data from volatile system memory possesses the following distinctive features: volatility, transience, phased stability, complexity, relevance of collected data, and phased behavior predictability. We present a computer forensic analysis model (CERM) for the reconstruction of a chain of evidence of volatile memory data. CERM frees analysts from being confined to the traditional analysis approach of digital forensic data that requires single evidence-oriented analysis. In CERM, they can focus on higher abstract levels involving the relationships of independent pieces of evidence and analyze patterns to construct a chain of evidence from the perspective of Evidence Law. In addition to CERM, we have designed a correlation analysis algorithm based on time series. Experimental tests have been conducted to verify the established model and designed algorithm. The experimental result shows that CERM is feasible and efficient, thus providing a new analysis perspective for digital forensic data from volatile system memory.

show abstract

“…For this process the RAM has to be imaged to prepare a dump [11]. Then this dump has to be analyzed for recovery of evidence.…”

Section: Recovering and Analyzing Data From Volatile Memory: Tools And mentioning

confidence: 99%

Volatile Memory Forensics: A Legal Perspective

Mann¹,

Chhabra²

2016

IJCA

View full text Add to dashboard Cite

In today's world of fast changing technology where everything is governed by Internet directly or indirectly, the trend of crime has undergone a dramatic change over the past few years. Today, one can commit a crime with just a click of a button on laptop or computer and enjoy the garb of anonymity and impunity to a great extent. In such a scenario, it has become imperative to throw some light on the emerging issue of tackling cybercrimes in 21 st century. This paper describes the extraction and analysis of volatile data that is available in computer's RAM that is in a running state on windows operating systems and shows the utility of RAM in Computer Forensics that is often neglected while crime scenario with running system is encountered. Keeping in view this necessity, it is essential to consider the issues of digital evidence and their collection, preservation, and admissibility in the court of law.

show abstract

Extraction of memory forensic artifacts from windows 7 RAM image

Cited by 23 publications

References 1 publication

Non-intrusive, out-of-band and out-of-the-box systems monitoring in the cloud

Non-intrusive, out-of-band and out-of-the-box systems monitoring in the cloud

Computer forensic analysis model for the reconstruction of chain of evidence of volatile memory data

Volatile Memory Forensics: A Legal Perspective

Contact Info

Product

Resources

About