Windows live memory analysis tool with timeframe network repository handling
Forensic analysis is more often done on non-volatile memory than on volatile memory. Traditional forensic analysis in the memory is performed by examining the permanent data preserved in the non-volatile memory which is important so as to track the state of the system. Live analysis deals with a cur...
Saved in:
Main Authors: | , , |
---|---|
Format: | text |
Language: | English |
Published: |
Animo Repository
2014
|
Online Access: | https://animorepository.dlsu.edu.ph/etd_bachelors/12123 |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | De La Salle University |
Language: | English |
Summary: | Forensic analysis is more often done on non-volatile memory than on volatile memory. Traditional forensic analysis in the memory is performed by examining the permanent data preserved in the non-volatile memory which is important so as to track the state of the system. Live analysis deals with a currently running system to obtain data on the present state of the system which is stored on the volatile memory. A lot of data can be observed inside the volatile memory which cannot be seen in other common storage devices, such as the hard drive. Among these data are running and terminated processes, registry information, user domain account credentials, browser history, and other sensitive information. Malicious processes also exist within the memory and can be detected through signature-based detection with the use of Yara scan. These data can be potential pieces of evidence to a forensic investigation that can be retrieved by dumping the memory and storing these in a memory dump file. All of this data is extracted by the system from different sizes of memory ranging from 1GB to 8GB. Based on the resulting processing times, it can be observed that as the size of memory increases the time it takes to process and extract its contents increases as well. Since the extraction of data causes system starvation, a recommended dump time interval is suggested which is equal to the summation of the processing time of each machine in a network. |
---|