Abstract
We propose an architecture to enable the forensic investigator to analyze and visualise a range of system generated artifacts with known and unknown data structures. The architecture is intended to facilitate the extraction and analysis of operating system artifacts while being extensible, flexible and reusable. The examples selected for the paper are the Windows Event Logs and Swap Files. Event logs can reveal evidence regarding logons, authentication, accounts and privileged use and can address questions relating to which user accounts were being used and which machines were accessed. The Swap file may contain fragments of data, remnants or entire documents, e-mail messages or the results of internet browsing which may reveal past user activities. Issues relating to understanding and visualising artifacts data structures are discussed and possible solutions are explored. We outline a proposed solution; an extraction component responsible for extracting data and preparing the data for visualisation, a storage subsystem consisting of a database that holds all of the extracted data and the interface, an integrated set of visualization tools.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Anson, S., Bunting, S.: Mastering Windows Network Forensics and Investigation, Indiana (2007)
Brown, R., Palm, B., de Vel, O.: Design of a Digital Forensics Image Mining System (2005), http://www.springerlink.com/content/3a7t7cxk3mdrajb0/
Caloyannides, M.A.: Computer Forensics and Privacy, Boston (2001)
Carrier, B.: File System Forensic Analysis, Indiana (2005)
Carvey, H.: Windows Forensic Analysis DVD Toolkit, Burlington (2007)
Casey, E.: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet, Boston (2004)
Hay, S.A.: Windows File Analyzer Guidance (2005), http://www.mitec.cz/Downloads/WFA%20Guidance.pdf
Jones, K.J.: Forensic Analysis of Internet Explorer Activity Files, Forensic Analysis of Microsoft Windows Recycle Bin Records (2003)
Lee, S., Savoldi, A., Lee, S., Lim, J.: Windows Pagefile Collection and Analysis for a Live Forensics Context. J. Future Gen. Comm. and Net. 2, December 6-8 (2007)
Mandia, K., Prosise, C., Pepe, M.: Incident Response & Computer Forensics, New York (2003)
Microsoft TechNet: Fundamental Computer Investigation Guide For Windows: Overview (2007)
Murphey, R.: Automated Windows event log forensics. J. Digital Investigation 4S, S92–S100 (2007)
Nelson, B., Phillips, A., Enfinger, F., Steuart, C.: Guide to Computer Forensics and Investigations (2008)
Ruff, N.: Windows Memory Forensics. J. Computer Virology 4S, S92-S100. The British Library (2007)
Schuster, A.: Searching For Processes And Threats In Microsoft Windows Memory Dump. J. Digital Investigation 3S, S10–S16 (2006)
The NT Insider: Windows NT Virtual Memory. Open System Resources. V. 5, I. 2 (1998), http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=60
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Hashim, N., Sutherland, I. (2011). An Architecture for the Forensic Analysis of Windows System Artifacts. In: Baggili, I. (eds) Digital Forensics and Cyber Crime. ICDF2C 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 53. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19513-6_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-19513-6_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19512-9
Online ISBN: 978-3-642-19513-6
eBook Packages: Computer ScienceComputer Science (R0)