A Forensically Robust Memory Image Acquisition Protocol Based on Windows Memory Analysis

Abstract

Collecting a forensically sound memory image from a "live" system increases the effectiveness of the forensic investigation by providing analysts with enhanced data and context to extend the knowledge obtained from long term storage devices. * More, and better, data will most likely deliver better and more robust conclusions. * Enhanced understanding leads to better policy development and application. Why is it important? * Capability to inspect disks protected by whole disk encryption. * Recover passwords for files, folders, etc. without incurring in "brute-force" methods. * Obtain "up-to-date" data on actives processes. * Provide analysts with the capability to extract more information from the system by providing context to the "swap" disk area. * Obtain active (and "closing") network connections.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Apr 20, 2012
Accession Number
ADA586915

Entities

People

  • Jeff Duffany
  • Jose R. De La Cruz

Organizations

  • Polytechnic University of Puerto Rico

Tags

DTIC Thesaurus Topics

  • Abstracts
  • Acquisition
  • Computational Forensics
  • Computers
  • Cryptography
  • Electronic Messaging
  • Forensic Analysis
  • Information Operations
  • Instructions
  • Military Research
  • Mobile Devices
  • National Security
  • Networks
  • Puerto Rico
  • Real Estate
  • Websites

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Enterprise Information Systems Architecture and Joint Command Capability Interoperability Support.
  • Systems Analysis and Design