A Forensically Robust Memory Image Acquisition Protocol Based on Windows Memory Analysis

De La Cruz, Jose R.; Duffany, Jeff

A Forensically Robust Memory Image Acquisition Protocol Based on Windows Memory Analysis

Active / Technical Report | Accession Number: ADA586915 |

Open PDF

Abstract:

Collecting a forensically sound memory image from a live system increases the effectiveness of the forensic investigation by providing analysts with enhanced data and context to extend the knowledge obtained from long term storage devices. More, and better, data will most likely deliver better and more robust conclusions. Enhanced understanding leads to better policy development and application. Why is it important Capability to inspect disks protected by whole disk encryption. Recover passwords for files, folders, etc. without incurring in brute-force methods. Obtain up-to-date data on actives processes. Provide analysts with the capability to extract more information from the system by providing context to the swap disk area. Obtain active and closing network connections.

Author(s):

De La Cruz, Jose R. ; Duffany, Jeff

Author Organization(s):

POLYTECHNIC UNIV OF PUERTO RICO SAN JUAN

Descriptive Note:

Related material

Supplementary Note:

The original document contains color images. DOI: 10.21236/ADA586915

Pagination:

0017

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:

Approved For Public Release

Distribution Statement:

Approved For Public Release; Distribution Is Unlimited.

RECORD

Collection: TR

Identifying Numbers

Report Number(s):

ARO-58924-CS-REP.16

Contract/Grant Number(s):

W911NF-11-1-0174

Monitor Series:

58924-CS-REP.16, ARO

Subject Terms

Joint Capability Areas:

JCA_6_Net Centric; JCA_6.1.3_Switching and Routing; JCA_5_Command and Control; JCA_6.1_Information Transport; JCA_5.3_Planning; JCA_8_Building Partnerships; JCA_6.2.3_Core Enterprise Services; JCA_8.1_Communicate; JCA_5.2.2_Develop Knowledge and Situational Awareness; JCA_5.2_Understand; JCA_6.2_Enterprise Services; JCA_8.2_Shape

Communities of Interest:

No COI(s) Identified

Descriptor(s):

*DATA STORAGE SYSTEMS, COMPUTERS, FORENSIC ANALYSIS, MEMORY DEVICES

Field(s)/Group(s):

Computer Programming and Software, Computer Hardware

Keyword(s):

BRUTE FORCE METHODS, DIGITAL FORENSICS, WINDOWS MEMORY ANALYSIS, MEMORY IMAGE, PE206022

Report Date:

2012 Apr 20

Creation Date:

2013 Nov 13