Offline Forensic Analysis Of Microsoft Windows XP Physical Memory
Abstract
The rise of cyber crimes combined with the recent use of computer viruses and malicious programs that reside only in volatile main memory demand further development of appropriate forensic tools. Existing forensic tools that analyze non-volatile memory are not capable of analyzing volatile memory and the few tools that are capable of detailed analysis of volatile memory are not openly available to the public. In this thesis, an open source tool is developed to analyze images of physical memory originating from the Windows XP and Windows 2003 Server operating systems. The tool, named Windows Physical Memory Offline Analyzer (WPMOA), scans the memory image and, utilizing input from the user, extracts relevant data from the various structures maintained by the Windows operating system. The WPMOA program automatically generates reports about the image and provides key information necessary for a user to perform additional manual investigation of the image beyond what is done automatically. This thesis details instructions on the preparation and use of the program, initial testing results of the program with actual physical memory images, and C language code for the program itself.
Document Details
- Document Type
- Technical Report
- Publication Date
- Sep 01, 2006
- Accession Number
- ADA457305
Entities
People
- John S. Schultz
Organizations
- Naval Postgraduate School