Volatile Internet evidence extraction from Windows systems

Joseph, Neethu; Sunny, Sherina; Dija, S; Thomas, K. L.

doi:10.1109/iccic.2014.7238452

Cited by 13 publications

(6 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…First, we contribute to the field of memory artefact identification by providing regular expression patterns that can be used to identify different types of memory artefacts generated by various applications, namely, Chrome, Tor, Filezilla, Skype, Wickr, Libre Writer and Microsoft's Notepad. MemTri, also confirms the regular expressions patterns designed by [27,10] to locate browser memory artefacts generated by visiting websites and performing Google search engine queries. Furthermore, we developed our regular expression patterns in such a way that will enable us to successfully capture other kinds of browser artefacts such as those generated when a file is downloaded.…”

Section: Summary Of Contributionsmentioning

confidence: 76%

“…This approach was mainly inspired by [10,27,28] which showed that intuitive evidence artefacts can be retrieved by simply searching for ASCII/Unicode data patterns generated by specific applications. The first step in the operation of the ESE is to identify the running processes within the memory image that match the target applications mentioned earlier.…”

Section: System Model and Preliminariesmentioning

confidence: 99%

“…The absence of such memory forensics tools is considered as an obstacle that prevents investigators from effectively analyzing digital devices. This is mainly due to the fact that various research has shown that memory can contain critical evidence such as internet browsing data, network traffic, malware, passwords, cryptographic keys and decrypted content, some of which may never be stored to disk [8,10]. A possible reason for the apparent low research in developing crime classification triage tools for memory forensics is due to the complexity in analyzing operating system (OS) memory structures, which is still a fairly adolescent area of research.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

MemTri

Michalas

Murray

2017

Proceedings of the 2017 International Workshop on Managing Insider Security Threats

View full text Add to dashboard Cite

This work explores the development of MemTri. A memory forensics triage tool that can assess the likelihood of criminal activity in a memory image, based on evidence data artefacts generated by several applications. Fictitious illegal suspect activity scenarios were performed on virtual machines to generate 60 test memory images for input into MemTri. Four categories of applications (i.e. Internet Browsers, Instant Messengers, FTP Client and Document Processors) are examined for data artefacts located through the use of regular expressions. These identified data artefacts are then analysed using a Bayesian Network, to assess the likelihood that a seized memory image contained evidence of illegal firearms trading activity. MemTri's normal mode of operation achieved a high artefact identification accuracy performance of 95.7% when the applications' processes were running. However, this fell significantly to 60% as applications processes' were terminated. To explore improving MemTri's accuracy performance, a second mode was developed, which achieved more stable results of around 80% accuracy, even after applications processes' were terminated.

show abstract

Section: Summary Of Contributionsmentioning

confidence: 76%

Section: System Model and Preliminariesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

MemTri

Michalas

Murray

2017

Proceedings of the 2017 International Workshop on Managing Insider Security Threats

View full text Add to dashboard Cite

show abstract

“…Live forensics dapat dilakukan ketika sistem belum mati atau down, karena hampir kesuluruhan penggunaan sistem tersimpan pada RAM, pagefile, hibernation file dan crash dump file [5] [6]. Tujuan pentingnya analisis data pada RAM, yaitu dapat mengetahui letak data tersebut dan isi data tersebut.…”

Section: Landasan Teoriunclassified

Analisis Live Forensics Untuk Perbandingan Kemananan Email Pada Sistem Operasi Proprietary

2016

View full text Add to dashboard Cite

Email menjadi salah satu media untuk berkomunikasi dan bisa menyimpan bukti kejahatan, saat ini telah banyak kejahatan yang terjadi melalui media ini. Digital forensics merupakan salah satu ilmu untuk menemukan barang bukti termasuk email sebagai bukti digital. Analisis digital forensik terbagi menjadi dua, yaitu tradisional / dead dan live forensics. Analisis forensics tekni digital tradisional menyangkut data yang disimpan secara permanen di perangkat, sedangkan analisis live forensics yaitu analisis menyangkut data sementara yang disimpan dalam peralatan atau transit di jaringan. jurnal ini mengusulkan analisis forensics live di sistem operasi terbaru yaitu Windows 10. Studi kasus berfokus pada kemanan beberapa email seperti Gmail, Yahoo dan Outlook dan beberapa browser secara umum seperti Google Chrome, Mozilla Firefox, dan Microsoft Edge. Hasil Eksperimen penelitian ini yaitu masing-masing penyedia email menambahkan fitur tersendiri demi keamanan user.

show abstract

“…Live forensics can be performed if the system on the computer does not die because almost all of the system usage is stored in RAM, Page files, hibernation files and dump crash files [16] [17]. Information that can be found on RAM such as running processes, information about executable files, Registry Key, information about network activity, drivers used, user logins, passwords and cryptographic keys, hidden processes and data, malware, temporary data, portable applications Application Which is not installed on the computer itself but only runs), DLL and many other important information [18].…”

mentioning

confidence: 99%

Experimental Analysis of Web Browser Sessions Using Live Forensics Method

Umar

Yudhana

Faiz

2018

IJECE

View full text Add to dashboard Cite

<span>In today's digital era almost every aspect of life requires the internet, one way to access the internet is through a web browser. For security reasons, one developed is private mode. Unfortunately, some users using this feature do it for cybercrime. The use of this feature is to minimize the discovery of digital evidence. The standard investigative techniques of NIST need to be developed to uncover an ever-varied cybercrime. Live Forensics is an investigative development model for obtaining evidence of computer usage. This research provides a solution in forensic investigation effectively and efficiently by using live forensics. This paper proposes a framework for web browser analysis. Live Forensics allows investigators to obtain data from RAM that contains computer usage sessions. </span>

show abstract

Volatile Internet evidence extraction from Windows systems

Cited by 13 publications

References 6 publications

MemTri

MemTri

Analisis Live Forensics Untuk Perbandingan Kemananan Email Pada Sistem Operasi Proprietary

Experimental Analysis of Web Browser Sessions Using Live Forensics Method

Contact Info

Product

Resources

About