Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis

Waits, Cal; Akinyele, Joseph A.; Nolan, Richard; Rogers, Larry

Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis

Active / Technical Report | Accession Number: ADA488423 |

Open PDF

Abstract:

People responsible for computer security incident response and digital forensic examination need to continually update their skills, tools, and knowledge to keep pace with changing technology. No longer able to simply unplug a computer and evaluate it later, examiners must know how to capture an image of the running memory and perform volatile memory analysis using various tools, such as PsList, ListDLLs, Handle, Netstat, FPort, Userdump, Strings, and PSLoggedOn. This paper presents a live response scenario and compares various approaches and tools used to capture and analyze evidence from computer memory.

Author(s):

Waits, Cal ; Akinyele, Joseph A. ; Nolan, Richard ; Rogers, Larry

Author Organization(s):

CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST

Descriptive Note:

Technical note

Supplementary Note:

The original document contains color images.

Pagination:

0031

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:

Approved For Public Release

Distribution Statement:

Approved For Public Release; Distribution Is Unlimited.

RECORD

Collection: TR

Identifying Numbers

Report Number(s):

CMU/SEI-2008-TN-017

Monitor Series:

ESC/MA

Subject Terms

Joint Capability Areas:

JCA_5_Command and Control; JCA_5.3_Planning; JCA_6_Net Centric; JCA_6.4.1_Secure Information Exchange; JCA_6.4_Information Assurance; JCA_3.2_Engagement; JCA_3_Force Application; JCA_3.2.2_Non-Kinetic Means; JCA_5.2_Understand; JCA_5.2.3_Share Knowledge and Situational Awareness; JCA_1.2_Force Preparation; JCA_1_Force Support; JCA_6.1.3_Switching and Routing; JCA_6.1_Information Transport; JCA_1.2.3_Educating; JCA_1.2.5_Lessons Learned; JCA_6.2.1_Information Sharing; JCA_6.2.2_Computing Services; JCA_8_Building Partnerships; JCA_1.2.2_Exercising; JCA_4.6_Engineering

Modernization Areas:

Cyber

Communities of Interest:

Cyber

Descriptor(s):

*DATA PROCESSING SECURITY, *MEMORY DEVICES, *MEDICAL EXAMINATION, *DIGITAL SYSTEMS, VOLATILITY, COMPUTERS, SCENARIOS, IMAGE PROCESSING

Field(s)/Group(s):

Medicine and Medical Research, Computer Programming and Software

Keyword(s):

*COMPUTER SECURITY, *COMPUTER FORENSICS, *LIVE RESPONSE, INCIDENT RESPONSE, VOLATILE MEMORY ANALYSIS

Report Date:

2008 Aug 01

Creation Date:

2008 Nov 12