Abstract
One of the core components of live forensics is to collect and analyze volatile memory data. Since the dynamic analysis of memory is not possible, most live forensic approaches focus on analyzing a single snapshot of a memory dump. Analyzing a single memory dump raises questions about evidence reliability; consequently, a natural extension is to study data from multiple memory dumps. Also important is the need to differentiate static data from dynamic data in the memory dumps; this enables investigators to link evidence based on memory structures and to determine if the evidence is found in a consistent area or a dynamic memory buffer, providing greater confidence in the reliability of the evidence. This paper proposes an indexing data structure for analyzing pages from multiple memory dumps in order to identify static and dynamic pages.
Chapter PDF
Similar content being viewed by others
References
A. Arasteh and M. Debbabi, Forensic memory analysis: From stack and code to execution history, Digital Investigation, vol. 4(S), pp. S114–S125, 2007.
G. Balakrishnan and T. Reps, Analyzing memory accesses in x86 executables, Proceedings of the Thirteenth International Conference on Compiler Construction, pp. 5–23, 2004.
Bugcheck, GREPEXEC: Grepping executive objects from pool memory (www.uninformed.org/?v=4&a=2&t=pdf), 2006.
M. Burdach, An introduction to Windows memory forensics (forens ic.seccure.net/pdf/introduction_to_windows_memory_forensic.pdf), 2005.
M. Burdach, Digital forensics of the physical memory (forensic.sec cure.net/pdf/mburdach_digital_forensics_of_physical_memory.pdf), 2005.
M. Burdach, Windows Memory Forensic Toolkit (forensic.seccure .net), 2007.
B. Carrier and J. Grand, A hardware-based memory acquisition procedure for digital investigations, Digital Investigation, vol. 1(1), pp. 50–60, 2004.
K. Chow, F. Law, M. Kwan and P. Lai, Consistency issues in live systems forensics, Proceedings of the International Workshop on Forensics for Future Generation Communication Environments, pp. 136–140, 2007.
D. Farmer and W. Venema, Forensic Discovery, Addison-Wesley, New York, 2005.
G. Garcia, Forensic physical memory analysis: Overview of tools and techniques, Telecommunications Software and Multimedia Laboratory, Helsinki University of Technology, Helsinki, Finland (www.tml .tkk.fi/Publications/C/25/papers/Limongarcia_final.pdf), 2007.
E. Huebner, D. Bem, F. Henskens and M. Wallis, Persistent systems techniques in forensic acquisition of memory, Digital Investigation, vol. 4(3-4), pp. 129–137, 2007.
N. Petroni, A. Walters, T. Fraser and W. Arbaugh, FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory, Digital Investigation, vol. 3(4), pp. 197–210, 2006.
T. Reps and G. Balakrishnan, Improved memory-access analysis for x86 executables, Proceedings of the Seventeenth International Conference on Compiler Construction, pp. 16–35, 2008.
A. Schuster, Searching for processes and threads in Microsoft Windows memory dumps, Digital Investigation, vol. 3(S1), pp. S10–S16, 2006.
I. Sutherland, J. Evans, T. Tryfonas and A. Blyth, Acquiring volatile operating system data: Tools and techniques, ACM SIGOPS Operating Systems Review, vol. 42(3), pp. 65–73, 2008.
R. van Baar, W. Alink and A. van Ballegooij, Forensic memory analysis: Files mapped in memory, Digital Investigation, vol. 5(S), pp. S52–S57, 2008.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 International Federation for Information Processing
About this paper
Cite this paper
Law, F. et al. (2010). Identifying Volatile Data from Multiple Memory Dumps in Live Forensics. In: Chow, KP., Shenoi, S. (eds) Advances in Digital Forensics VI. DigitalForensics 2010. IFIP Advances in Information and Communication Technology, vol 337. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15506-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-15506-2_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15505-5
Online ISBN: 978-3-642-15506-2
eBook Packages: Computer ScienceComputer Science (R0)