Commenced in January 2007
Paper Count: 30528
Hybrid Approach for Memory Analysis in Windows System
Abstract:Random Access Memory (RAM) is an important device in computer system. It can represent the snapshot on how the computer has been used by the user. With the growth of its importance, the computer memory has been an issue that has been discussed in digital forensics. A number of tools have been developed to retrieve the information from the memory. However, most of the tools have their limitation in the ability of retrieving the important information from the computer memory. Hence, this paper is aimed to discuss the limitation and the setback for two main techniques such as process signature search and process enumeration. Then, a new hybrid approach will be presented to minimize the setback in both individual techniques. This new approach combines both techniques with the purpose to retrieve the information from the process block and other objects in the computer memory. Nevertheless, the basic theory in address translation for x86 platforms will be demonstrated in this paper.
Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1075617Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1563
 Krone, T., 2005. "High Tech Crime Brief". (Book style). Australian Institute of Criminology. Canberra, Australia. ISSN 1832-3413. 2005.
 US-Cert, government organization, "Computer Forensic", (published report). USA, 2008
 RSA, "The current state of cybercrime and what to expect in 2012", (published report) USA, 2012.
 Hill, C.E., "What is the Definition of Digital Forensics? ", in eHow, How to do just about everything(Unpublished work sytle). Unpublished
 DFRWS." Memparser Analysis Tool by Chris Betz".(Unpublished work sytle). Unpublished
 DFRWS. "Kntlist Analysis Tool by George M. Garner Jr." . (Unpublished work sytle). unpublished
 Jesee, K., "Using every part of the buffalo in Windows memory analysis(Published Journal style)". Journal Digital Investigation, vol 4: pp. 24-29, 2007.
 Dhamdhere, D.M., "Operating Systems: A Concept based Approach."(Book style) 1 ed., McGrawHill, 2009.
 Russinovich, M.E., D.A. Solomon, and A. Ionescu, "Windows®Internals Covering Windows Server® 2008 and Windows Vista®" (Book style). J. Pierce, Editor., Microsoft Press, 2009.
 Amari, K., "Techniques and Tools for Recovering and Analyzing Data from Volatile Memory"(unpublished work style), SANS Institute, 2009.
 Carrier, B.G., J.," A Hardware Based Memory Acquisition Procedure for Digital Investigations". (Published Journals style). Journal of Digital Investigation, 2004, March.
 Schuster, A., "Searching for processes and threads in Microsoft Windows memory dump"(Published Journal style).Journal Digital Investigation, vol 3, pp. 10-16, 2006.
 Dolan-Gavitt, B.," The VAD tree: A process eye view of physical memory"(Published Journal style).Journal Digital Investigation, pp. s62- s64, 2007
 Khairul A.Z, Ahmad K.M, Jafreezal J.," Investigating the PROCESS block for memory analysis( Published Conference Proceedings style)," ", in ACS-11 proc, WSEAS Conf, pp 21-29, 2011
 Garfinkel, T., Pfaff, B., Chow, J., & Rosenblum, M. "lifetime is a systems problem (Published Conference Proceedings style)," In Proc of the ACM SIGOPS European Workshop, ACM, 2004
 Stevens, D."XORSearch", (unpublished work style).2007, January 30.
 AccessData Corporation, " Importance of memory Search and Analysis" (Published White Paper) Lindon, UT, 2006.
 Burdach, M. "An Introduction to Windows memory forensic"(unpublished work style). Unpublished.
 Ruichao Zhang, L. W., Shuhui Zhang. "Windows Memory Analysis Based on KPC"( Published Conference Proceedings sytle) . In Proc of the 2009 Fifth International Conference on Information Assurance and Security, IEEE, Xi'An China.
 S. M. Hejazi, C. T., M. Debbabi "Extraction of forensically sensitive information from windows physical memory".(Published Journal Style) Journal d i g i t a l i n v e s t i g a t i o n vol 6, pp.S 1 2 1 - S 1 3 1, 2009
 Schuster, A." PTFinder". 2006.(Unpnlished work style).unpublished.
 Khairul A.Z, Ahmad K.M, Jafreezal J, S Shamsuddin, "Process Block Tree (PBT) for Windows Operating System (Published Conference Proceedings style),"", in ICCEMS 2012 proc, ICCEMS Conf, pp121- 128.
 DFWRS, "Windows Memory Challenge", (Online Workshop/Conference page) 2005.
 Jesse K, "Computer Forensics Reference Datasets", (Online Research data sets) CFReDs Project,ManTech, 2011.