Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis

Abstract

People responsible for computer security incident response and digital forensic examination need to continually update their skills, tools, and knowledge to keep pace with changing technology. No longer able to simply unplug a computer and evaluate it later, examiners must know how to capture an image of the running memory and perform volatile memory analysis using various tools, such as PsList, ListDLLs, Handle, Netstat, FPort, Userdump, Strings, and PSLoggedOn. This paper presents a live response scenario and compares various approaches and tools used to capture and analyze evidence from computer memory.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Aug 01, 2008
Accession Number
ADA488423

Entities

People

  • Cal Waits
  • Joseph A. Akinyele
  • Larry Rogers
  • Richard Nolan

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Biomedical
  • Cyber

DTIC Thesaurus Topics

  • Acquisition
  • Computational Forensics
  • Computers
  • Copyrights
  • Cybersecurity
  • Department Of Defense
  • Directories
  • Engineering
  • First Responders
  • Governments
  • Guarantees
  • Intellectual Property
  • Law
  • Medical Personnel
  • Operating Systems
  • Security
  • Software Development

Fields of Study

  • Computer science

Readers

  • Brain and Cognitive Science; Experimental Psychology; Cognitive Neuroscience
  • Database Systems and Applications
  • Systems Analysis and Design

Technology Areas

  • Cyber