Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 30528
Hybrid Approach for Memory Analysis in Windows System

Authors: Jafreezal Jaafar, Khairul Akram Zainol Ariffin, Ahmad Kamil Mahmood, Solahuddin Shamsuddin


Random Access Memory (RAM) is an important device in computer system. It can represent the snapshot on how the computer has been used by the user. With the growth of its importance, the computer memory has been an issue that has been discussed in digital forensics. A number of tools have been developed to retrieve the information from the memory. However, most of the tools have their limitation in the ability of retrieving the important information from the computer memory. Hence, this paper is aimed to discuss the limitation and the setback for two main techniques such as process signature search and process enumeration. Then, a new hybrid approach will be presented to minimize the setback in both individual techniques. This new approach combines both techniques with the purpose to retrieve the information from the process block and other objects in the computer memory. Nevertheless, the basic theory in address translation for x86 platforms will be demonstrated in this paper.

Keywords: Algorithms, Digital Forensics, memory analysis, Signature Search

Digital Object Identifier (DOI):

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1563


[1] Krone, T., 2005. "High Tech Crime Brief". (Book style). Australian Institute of Criminology. Canberra, Australia. ISSN 1832-3413. 2005.
[2] US-Cert, government organization, "Computer Forensic", (published report). USA, 2008
[3] RSA, "The current state of cybercrime and what to expect in 2012", (published report) USA, 2012.
[4] Hill, C.E., "What is the Definition of Digital Forensics? ", in eHow, How to do just about everything(Unpublished work sytle). Unpublished
[5] DFRWS." Memparser Analysis Tool by Chris Betz".(Unpublished work sytle). Unpublished
[6] DFRWS. "Kntlist Analysis Tool by George M. Garner Jr." . (Unpublished work sytle). unpublished
[7] Jesee, K., "Using every part of the buffalo in Windows memory analysis(Published Journal style)". Journal Digital Investigation, vol 4: pp. 24-29, 2007.
[8] Dhamdhere, D.M., "Operating Systems: A Concept based Approach."(Book style) 1 ed., McGrawHill, 2009.
[9] Russinovich, M.E., D.A. Solomon, and A. Ionescu, "Windows®Internals Covering Windows Server® 2008 and Windows Vista®" (Book style). J. Pierce, Editor., Microsoft Press, 2009.
[10] Amari, K., "Techniques and Tools for Recovering and Analyzing Data from Volatile Memory"(unpublished work style), SANS Institute, 2009.
[11] Carrier, B.G., J.," A Hardware Based Memory Acquisition Procedure for Digital Investigations". (Published Journals style). Journal of Digital Investigation, 2004, March.
[12] Schuster, A., "Searching for processes and threads in Microsoft Windows memory dump"(Published Journal style).Journal Digital Investigation, vol 3, pp. 10-16, 2006.
[13] Dolan-Gavitt, B.," The VAD tree: A process eye view of physical memory"(Published Journal style).Journal Digital Investigation, pp. s62- s64, 2007
[14] Khairul A.Z, Ahmad K.M, Jafreezal J.," Investigating the PROCESS block for memory analysis( Published Conference Proceedings style)," ", in ACS-11 proc, WSEAS Conf, pp 21-29, 2011
[15] Garfinkel, T., Pfaff, B., Chow, J., & Rosenblum, M. "lifetime is a systems problem (Published Conference Proceedings style)," In Proc of the ACM SIGOPS European Workshop, ACM, 2004
[16] Stevens, D."XORSearch", (unpublished work style).2007, January 30.
[17] AccessData Corporation, " Importance of memory Search and Analysis" (Published White Paper) Lindon, UT, 2006.
[18] Burdach, M. "An Introduction to Windows memory forensic"(unpublished work style). Unpublished.
[19] Ruichao Zhang, L. W., Shuhui Zhang. "Windows Memory Analysis Based on KPC"( Published Conference Proceedings sytle) . In Proc of the 2009 Fifth International Conference on Information Assurance and Security, IEEE, Xi'An China.
[20] S. M. Hejazi, C. T., M. Debbabi "Extraction of forensically sensitive information from windows physical memory".(Published Journal Style) Journal d i g i t a l i n v e s t i g a t i o n vol 6, pp.S 1 2 1 - S 1 3 1, 2009
[21] Schuster, A." PTFinder". 2006.(Unpnlished work style).unpublished.
[22] Khairul A.Z, Ahmad K.M, Jafreezal J, S Shamsuddin, "Process Block Tree (PBT) for Windows Operating System (Published Conference Proceedings style),"", in ICCEMS 2012 proc, ICCEMS Conf, pp121- 128.
[23] DFWRS, "Windows Memory Challenge", (Online Workshop/Conference page) 2005.
[24] Jesse K, "Computer Forensics Reference Datasets", (Online Research data sets) CFReDs Project,ManTech, 2011.