Forensic memory analysis: Files mapped in memory

نویسندگان

R. B. van Baar

W. Alink

A. R. van Ballegooij

چکیده

In this paper we describe a method for recovering files mapped in memory and to link mapped-file information process data. This information is forensically interesting, because it helps determine the origin and usage of the file and because it reduces the amount of unidentified data in a memory dump. To find mapped-file content, we apply several different techniques. Together, these techniques can identify approximately 25% of test memory dumps as being part of a memory-mapped file. a 2008 Digital Forensic Research Workshop. Published by Elsevier Ltd. All rights reserved.

برای دانلود رایگان متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Physical Memory Forensics for Files and Cache

Physical memory forensics has gained a lot of traction over the past five or six years. While it will never eliminate the need for disk forensics, memory analysis has proven its efficacy during incident response and more traditional forensic investigations. Since attackers typically live in userland memory, reconstructing the processes in that space is essential to an investigation. While previ...

متن کامل

Windows Operating System Agnostic Memory Analysis

Memory analysis is an integral part of any computer forensic investigation, providing access to volatile data not found on a drive image. While memory analysis has recently made significant progress, it is still hampered by hard-coded tools that cannot generalize beyond the specific operating system and version they were developed for. This paper proposes using the debug structures embedded in ...

متن کامل

Acquiring OS X File Handles Through Forensic Memory Analysis

Memory analysis has become a critical capability in digital forensics because it provides insight into system state that cannot be fully represented through traditional media analysis. The volafox open source project has begun the work of structured memory analysis for OS X with support for a limited set of kernel structures. This paper addresses one memory analysis deficiency on OS X with the ...

متن کامل

Monitoring Access to Shared Memory-Mapped Files

The post-mortem state of a compromised system may not contain enough evidence regarding what transpired during an attack to explain the attacker’s modus operandi. Current systems that reconstruct sequences of events gather potential evidence at runtime by monitoring events and objects at the system call level. The reconstruction process starts with a detection point, such as a file with suspici...

متن کامل

A UNIX Interface for Shared Memory and Memory Mapped Files Under Mach

This paper describes an approach to Unix shared memory and memory mapped files currently in use at CMU under the Mach Operating System. It describes the rationale for Mach’s memory sharing and file mapping primitives as well as their impact on other system components and on overall performance.

متن کامل

ذخیره در منابع من

ذخیره در منابع من قبلا به منابع من ذحیره شده

{@ msg_add @}

با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

عنوان ژورنال:

دوره شماره

صفحات -

تاریخ انتشار 2008

Forensic memory analysis: Files mapped in memory

نویسندگان

چکیده

منابع مشابه

Physical Memory Forensics for Files and Cache

Windows Operating System Agnostic Memory Analysis

Acquiring OS X File Handles Through Forensic Memory Analysis

Monitoring Access to Shared Memory-Mapped Files

A UNIX Interface for Shared Memory and Memory Mapped Files Under Mach

عنوان ژورنال:

اشتراک گذاری