Forensic memory analysis: Files mapped in memory

Baar, R.B. van; Alink, W.; Ballegooij, A.R. van

doi:10.1016/j.diin.2008.05.014

Cited by 40 publications

(21 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The newly created data set was dubbed Baseline Carving Data Set 6 . The overall purpose is to represent a file structure that is indicative of what may be encountered in investigations in order to provide more viable carving performance results.…”

Section: Data Setsmentioning

confidence: 99%

“…Furthermore, methods have also been developed for scenarios including carving network packets; e.g. IP packets from forensic images [5] and carving file objects from memory dumps [6]. Advanced file carving techniques have also been investigated including in-place file carving to reduce storage space and processing time [7] and recovery and re-assembly of fragmented JPEG files [8].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Performance Analysis of File Carving Tools

Laurenson

2013

Security and Privacy Protection in Information Processing Systems

View full text Add to dashboard Cite

Abstract. File carving is the process of recovering files based on the contents of a file in scenarios where file system metadata is unavailable. In this research a total of 6 file carving tools were tested and reviewed to evaluate the performance quality of each. Comparison of findings to a previous similar study was conducted and showed variable performance advances. A new file carving data set was also authored and testing determined that the wider variety of file types and structures proved challenging for most tools to efficiently recover a high percentage of files. Results also highlighted the ongoing issue with complete recovery and reassembly of fragmented files. Future research is required to provide digital forensic investigators & data recovery practitioners with efficient and accurate file carving tools to maximise file recovery and minimise invalid file output.

show abstract

Section: Data Setsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Performance Analysis of File Carving Tools

Laurenson

2013

Security and Privacy Protection in Information Processing Systems

View full text Add to dashboard Cite

show abstract

“…Sarmoria and Chapin [177] present an approach for monitoring access to shared memory mapped files and Schuster [185] examines the impact of Windows memory allocation strategies on process and context persistence in memory. van Baar et al [206] describe a method for recovering files mapped in memory and to link mapped file information process data. The paper presents a case for extracting such data which reduces the amount of unidentified data in memory dumps.…”

Section: Digital Timestamps and Time-liningmentioning

confidence: 99%

Digital forensic research: current state of the art

Raghavan

2012

CSIT

115

View full text Add to dashboard Cite

Abstract-Digital Forensics is the process of employing scientific principles and processes analyze electronically stored information to determine the sequence of events which led to a particular incident. In this digital age, it is important for researchers to become aware of the recent developments in this dynamic field and understand scope for the future. The past decade has witnessed significant technological advancements to aid during a digital investigation. Many methodologies, tools and techniques have found their way into the field designed on forensic principles. Digital forensics has also witnessed many innovative approaches that have been explored to acquire and analyze digital evidence from diverse sources. In this paper, we review the research literature since 2000 and categorize developments in the field into 4 major categories. In recent years the exponential growth of technological has also brought with it some serious challenges for digital forensic research which is elucidated. Within each category, research is sub-classified into conceptual and practical advancements. We highlight the observations made by previous researchers and summarize the research directions for the future.

show abstract

“…However, the dynamic nature of memory means that obtaining a complete and consistent perspective of memory is impossible without taking multiple memory snapshots. In addition to problems posed by memory fragmentation, the analysis of data is complicated by the fact that memory structures vary considerably for different systems [16].…”

Section: Related Workmentioning

confidence: 99%

“…Best practices have been specified to ensure that acquisition methods minimize the impact on volatile system memory and that relevant evidentiary data can be extracted from a memory dump [3,12,16]. However, most approaches focus only on a single snapshot of system memory, which has several drawbacks.…”

Section: Introductionmentioning

confidence: 99%

Identifying Volatile Data from Multiple Memory Dumps in Live Forensics

Law¹,

Chan²,

Yiu³

et al. 2010

Advances in Digital Forensics VI

View full text Add to dashboard Cite

International audienceOne of the core components of live forensics is to collect and analyze volatile memory data. Since the dynamic analysis of memory is not possible, most live forensic approaches focus on analyzing a single snapshot of a memory dump. Analyzing a single memory dump raises questions about evidence reliability; consequently, a natural extension is to study data from multiple memory dumps. Also important is the need to differentiate static data from dynamic data in the memory dumps; this enables investigators to link evidence based on memory structures and to determine if the evidence is found in a consistent area or a dynamic memory buffer, providing greater confidence in the reliability of the evidence. This paper proposes an indexing data structure for analyzing pages from multiple memory dumps in order to identify static and dynamic pages

show abstract

Forensic memory analysis: Files mapped in memory

Cited by 40 publications

References 4 publications

Performance Analysis of File Carving Tools

Performance Analysis of File Carving Tools

Digital forensic research: current state of the art

Identifying Volatile Data from Multiple Memory Dumps in Live Forensics

Contact Info

Product

Resources

About