Extracting Forensic Artifacts from Windows O/S Memory

Abstract

Memory analysis is a rapidly growing area in both digital forensics and cyber situational awareness (SA). Memory provides the most accurate snapshot of what is occurring on a computer at a moment in time. By combining it with event and network logs as well as the files present on the filesystem, an analyst can re-create much of what has occurred and is occuring on a computer. The Compiled Memory Analysis Tool (CMAT) takes either a disk image of memory from a Windows operating system or an interface into a virtual machine running a Windows operating system and extracts forensic artifacts including general system information, loaded system modules, the active processes, the files and registry keys accessed by those processes, the network connections established by the processes, the dynamic link libraries loaded by the processes, and the contents of the Windows clipboard. Operators and investigators can either take these artifacts and analyze them directly or use them as input into more complex cyber SA and digital forensics analysis tools.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Aug 30, 2011
Accession Number
ADA548397

Entities

People

  • Gilbert L. Peterson
  • James S. Okolica

Organizations

  • Air Force Institute of Technology

Tags

DTIC Thesaurus Topics

  • Air Force
  • Artifacts
  • Computer Programs
  • Computers
  • Databases
  • Debugging
  • Hash Tables
  • Intellectual Property
  • Language
  • Law
  • Lists (Data Structures)
  • Lymphocytes
  • Operating Systems
  • Standards
  • United States Government
  • User Interface
  • Virtual Machines

Fields of Study

  • Computer science

Readers

  • Computer Science/Computer Engineering/Data Science/Digital Signal Processing.
  • Cybersecurity.
  • Database Systems and Applications

Technology Areas

  • Cyber