Title :
Extraction of memory forensic artifacts from windows 7 RAM image
Author :
Thomas, Stephan ; Sherly, K.K. ; Dija, S.
Author_Institution :
Dept. Of Comput. Sci., TocH Inst. of Sci. & Technol., Cochin, India
Abstract :
Memory Forensics is a novel and fast growing field in computer forensics, providing access to volatile information unavailable from a disk image. The memory forensics commenced when malware writers began reducing their footprints on the victim´s hard disk and instead started storing crucial information within the machine´s Random Access Memory. Windows 7 claims to be the most secure version of windows yet, thereby causing the forensic investigations a tedious one. Identification of kernel variables, running processes and extraction of process memory from a Windows 7 memory dump is more difficult when compared with previous versions of Windows. This paper discusses various windows kernel data structures and provides a methodology for extracting the list of running processes from 32-bit and 64-bit Windows 7 memory dump. The paper also presents a method for recovering process memory of running processes from a Windows 7 memory dump.
Keywords :
digital forensics; random-access storage; 32-bit Windows 7 memory dump; 64-bit Windows 7 memory dump; RAM image; disk image; hard disk; memory forensic artifacts; recovering process memory; running processes; windows kernel data structures; Computers; Conferences; Data mining; Forensics; Kernel; Random access memory; CR3 register; EPROCESS; KPCR; Memory Forensics; Windows 7;
Conference_Titel :
Information & Communication Technologies (ICT), 2013 IEEE Conference on
Conference_Location :
JeJu Island
Print_ISBN :
978-1-4673-5759-3
DOI :
10.1109/CICT.2013.6558230
