Accession Number:

ADA586915

Title:

A Forensically Robust Memory Image Acquisition Protocol Based on Windows Memory Analysis

Descriptive Note:

Related material

Corporate Author:

POLYTECHNIC UNIV OF PUERTO RICO SAN JUAN

Personal Author(s):

Report Date:

2012-04-20

Pagination or Media Count:

17.0

Abstract:

Collecting a forensically sound memory image from a live system increases the effectiveness of the forensic investigation by providing analysts with enhanced data and context to extend the knowledge obtained from long term storage devices. More, and better, data will most likely deliver better and more robust conclusions. Enhanced understanding leads to better policy development and application. Why is it important Capability to inspect disks protected by whole disk encryption. Recover passwords for files, folders, etc. without incurring in brute-force methods. Obtain up-to-date data on actives processes. Provide analysts with the capability to extract more information from the system by providing context to the swap disk area. Obtain active and closing network connections.

Subject Categories:

  • Computer Programming and Software
  • Computer Hardware

Distribution Statement:

APPROVED FOR PUBLIC RELEASE