Forensic analysis of Windows' virtual memory incorporating the system's page-file
Stimson, Jared M.
Eagle, Chris S.
Dinolt, George W.
MetadataShow full item record
Computer Forensics is concerned with the use of computer investigation and analysis techniques in order to collect evidence suitable for presentation in court. The examination of volatile memory is a relatively new but important area in computer forensics. More recently criminals are becoming more forensically aware and are now able to compromise computers without accessing the hard disk of the target computer. This means that traditional incident response practice of pulling the plug will destroy the only evidence of the crime. While some techniques are available for acquiring the contents of main memory, few exist which can analyze these data in a meaningful way. One reason for this is how memory is managed by the operating system. Data belonging to one process can be distributed arbitrarily across physical memory or the hard disk, making it very difficult to recover useful information. This report will focus on how these disparate sources of information can be combined to give a single, contiguous address space for each process. Using address translation a tool is developed to reconstruct the virtual address space of a process by combining a physical memory dump with the page-file on the hard disk.
Showing items related by title, author, creator and subject.
Stimson, Jared M. (Monterey, California. Naval Postgraduate School, 2008-12);Computer Forensics is concerned with the use of computer investigation and analysis techniques in order to collect evidence suitable for presentation in court. The examination of volatile memory is a relatively new but ...
Billingsley, Arthur Brooks, Jr. (Monterey, California. Naval Postgraduate School, 1992-12);Developing memory systems to support high speed processes is a major challenge to computers architects. Cache memories can improve system performance but the latency of main memory remains a major penalty for a cache-miss. ...
Fischer, James E. (Monterey, California: Naval Postgraduate School, 2016-09);The unique principles of quantum mechanics may one day enable computers to perform operations that would be impossible on a classical computer. Although no one knows whether it will be possible to build a large-scale, ...