Windows live memory analysis tool with timeframe network repository handling

Forensic analysis is more often done on non-volatile memory than on volatile memory. Traditional forensic analysis in the memory is performed by examining the permanent data preserved in the non-volatile memory which is important so as to track the state of the system. Live analysis deals with a cur...

Full description

Saved in:
Bibliographic Details
Main Authors: Al Saadi, Sagger O., Dagoy, Ryan Michael G., Dizon, Farley A., Jr.
Format: text
Language:English
Published: Animo Repository 2014
Online Access:https://animorepository.dlsu.edu.ph/etd_bachelors/12123
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: De La Salle University
Language: English
Description
Summary:Forensic analysis is more often done on non-volatile memory than on volatile memory. Traditional forensic analysis in the memory is performed by examining the permanent data preserved in the non-volatile memory which is important so as to track the state of the system. Live analysis deals with a currently running system to obtain data on the present state of the system which is stored on the volatile memory. A lot of data can be observed inside the volatile memory which cannot be seen in other common storage devices, such as the hard drive. Among these data are running and terminated processes, registry information, user domain account credentials, browser history, and other sensitive information. Malicious processes also exist within the memory and can be detected through signature-based detection with the use of Yara scan. These data can be potential pieces of evidence to a forensic investigation that can be retrieved by dumping the memory and storing these in a memory dump file. All of this data is extracted by the system from different sizes of memory ranging from 1GB to 8GB. Based on the resulting processing times, it can be observed that as the size of memory increases the time it takes to process and extract its contents increases as well. Since the extraction of data causes system starvation, a recommended dump time interval is suggested which is equal to the summation of the processing time of each machine in a network.