Windows live memory analysis tool with timeframe network repository handling

Forensic analysis is more often done on non-volatile memory than on volatile memory. Traditional forensic analysis in the memory is performed by examining the permanent data preserved in the non-volatile memory which is important so as to track the state of the system. Live analysis deals with a cur...

Full description

Saved in:
Bibliographic Details
Main Authors: Al Saadi, Sagger O., Dagoy, Ryan Michael G., Dizon, Farley A., Jr.
Format: text
Language:English
Published: Animo Repository 2014
Online Access:https://animorepository.dlsu.edu.ph/etd_bachelors/12123
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: De La Salle University
Language: English
id oai:animorepository.dlsu.edu.ph:etd_bachelors-12768
record_format eprints
spelling oai:animorepository.dlsu.edu.ph:etd_bachelors-127682021-09-20T03:49:01Z Windows live memory analysis tool with timeframe network repository handling Al Saadi, Sagger O. Dagoy, Ryan Michael G. Dizon, Farley A., Jr. Forensic analysis is more often done on non-volatile memory than on volatile memory. Traditional forensic analysis in the memory is performed by examining the permanent data preserved in the non-volatile memory which is important so as to track the state of the system. Live analysis deals with a currently running system to obtain data on the present state of the system which is stored on the volatile memory. A lot of data can be observed inside the volatile memory which cannot be seen in other common storage devices, such as the hard drive. Among these data are running and terminated processes, registry information, user domain account credentials, browser history, and other sensitive information. Malicious processes also exist within the memory and can be detected through signature-based detection with the use of Yara scan. These data can be potential pieces of evidence to a forensic investigation that can be retrieved by dumping the memory and storing these in a memory dump file. All of this data is extracted by the system from different sizes of memory ranging from 1GB to 8GB. Based on the resulting processing times, it can be observed that as the size of memory increases the time it takes to process and extract its contents increases as well. Since the extraction of data causes system starvation, a recommended dump time interval is suggested which is equal to the summation of the processing time of each machine in a network. 2014-01-01T08:00:00Z text https://animorepository.dlsu.edu.ph/etd_bachelors/12123 Bachelor's Theses English Animo Repository
institution De La Salle University
building De La Salle University Library
continent Asia
country Philippines
Philippines
content_provider De La Salle University Library
collection DLSU Institutional Repository
language English
description Forensic analysis is more often done on non-volatile memory than on volatile memory. Traditional forensic analysis in the memory is performed by examining the permanent data preserved in the non-volatile memory which is important so as to track the state of the system. Live analysis deals with a currently running system to obtain data on the present state of the system which is stored on the volatile memory. A lot of data can be observed inside the volatile memory which cannot be seen in other common storage devices, such as the hard drive. Among these data are running and terminated processes, registry information, user domain account credentials, browser history, and other sensitive information. Malicious processes also exist within the memory and can be detected through signature-based detection with the use of Yara scan. These data can be potential pieces of evidence to a forensic investigation that can be retrieved by dumping the memory and storing these in a memory dump file. All of this data is extracted by the system from different sizes of memory ranging from 1GB to 8GB. Based on the resulting processing times, it can be observed that as the size of memory increases the time it takes to process and extract its contents increases as well. Since the extraction of data causes system starvation, a recommended dump time interval is suggested which is equal to the summation of the processing time of each machine in a network.
format text
author Al Saadi, Sagger O.
Dagoy, Ryan Michael G.
Dizon, Farley A., Jr.
spellingShingle Al Saadi, Sagger O.
Dagoy, Ryan Michael G.
Dizon, Farley A., Jr.
Windows live memory analysis tool with timeframe network repository handling
author_facet Al Saadi, Sagger O.
Dagoy, Ryan Michael G.
Dizon, Farley A., Jr.
author_sort Al Saadi, Sagger O.
title Windows live memory analysis tool with timeframe network repository handling
title_short Windows live memory analysis tool with timeframe network repository handling
title_full Windows live memory analysis tool with timeframe network repository handling
title_fullStr Windows live memory analysis tool with timeframe network repository handling
title_full_unstemmed Windows live memory analysis tool with timeframe network repository handling
title_sort windows live memory analysis tool with timeframe network repository handling
publisher Animo Repository
publishDate 2014
url https://animorepository.dlsu.edu.ph/etd_bachelors/12123
_version_ 1712577607867826176