An analysis of Linux RAM forensics
dc.contributor.advisor | Eagle, Christopher S. | |
dc.contributor.author | Urrea, Jorge Mario. | |
dc.date.accessioned | 2012-03-14T17:36:41Z | |
dc.date.available | 2012-03-14T17:36:41Z | |
dc.date.issued | 2006-03 | |
dc.identifier.uri | https://hdl.handle.net/10945/2933 | |
dc.description.abstract | During a forensic investigation of a computer system, the ability to retrieve volatile information can be of critical importance. The contents of RAM could reveal malicious code running on the system that has been deleted from the hard drive or, better yet, that was never resident on the hard drive at all. RAM can also provide the programs most recently run and files most recently opened in the system. However, due to the nature of modern operating systems, these programs and files are not typically stored contiguously-which makes most retrieval efforts of files larger than one page size futile. To date, analysis of RAM images has been largely restricted to searching for ASCII string content, which typically only yields text information such as document fragments, passwords or scripts. This thesis explores the memory management structures in a SUSE Linux system (kernel version 2.6.13-15) to make sense out of the chaos in RAM and facilitate the retrieval of files/programs larger than one page size. The analysis includes methods for incorporating swap space information for files that may not reside completely within physical memory. The results of this thesis will become the basis of later research efforts in RAM forensics. This includes the creation of tools that will provide forensic analysts with a clear map of what is resident in the volatile memory of a system. | en_US |
dc.description.uri | http://archive.org/details/annalysisoflinux109452933 | |
dc.format.extent | xiv, 73 p. : ill. ; | en_US |
dc.publisher | Monterey, California. Naval Postgraduate School | en_US |
dc.subject.lcsh | Computer science | en_US |
dc.subject.lcsh | Computer crimes | en_US |
dc.subject.lcsh | Information retrieval | en_US |
dc.subject.lcsh | Investigation | en_US |
dc.title | An analysis of Linux RAM forensics | en_US |
dc.type | Thesis | en_US |
dc.contributor.secondreader | Dinolt, George | |
dc.contributor.corporate | Naval Postgraduate School | |
dc.contributor.department | Department of Computer Science | |
dc.identifier.oclc | 66528049 | |
etd.thesisdegree.name | M.S. | en_US |
etd.thesisdegree.level | Masters | en_US |
etd.thesisdegree.discipline | Computer Science | en_US |
etd.thesisdegree.grantor | Naval Postgraduate School | en_US |
etd.verified | no | en_US |
dc.description.distributionstatement | Approved for public release; distribution is unlimited. |
Files in this item
This item appears in the following Collection(s)
-
1. Thesis and Dissertation Collection, all items
Publicly releasable NPS Theses, Dissertations, MBA Professional Reports, Joint Applied Projects, Systems Engineering Project Reports and other NPS degree-earning written works.