Skip to main content
SpringerLink
Log in
Book cover

International Conference on Digital Enterprise and Information Systems

DEIS 2011: Digital Enterprise and Information Systems pp 449–465Cite as

Extraction of User Information by Pattern Matching Techniques in Windows Physical Memory

  • Conference paper

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 194))

Abstract

There have been few investigations into the amount of relevant information that can be recovered from the physical memory of Windows applications. Extraction of user information is vital in today’s digital investigation and forensic investigators find it helpful to gain access to dispersal evidence stored over time in the physical memory of these applications. In this research, we present the quantitative and qualitative results of experiments carried out on the extraction of forensically relevant information from Windows computer systems. This process involves a pattern matching techniques of the original user input and the extracted memory dump strings processes. In conducting this research; we have identified the most commonly used applications on Windows systems, designed a methodology to capture data and processed that data. This research will report the amount of evidence dispersed over time in the physical memory when the application was running and user is not interacting with the system.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Petroni Jr., N.L., Walters, A., Fraser, T., Arbaugh, W.A.: FATKit: A framwork for the extraction and analysis of digital forenisc from volatile sysytem memory. Journal of Digital Investigation III(001), 197–210 (2006)

    Article  Google Scholar 

  2. Farmer, D., Venema, W.: The coroner’s toolkit, TCT (August 2004), http://www.porcupine.org/forensics/tct.html

  3. Carrier, B.D., Grand, J.: A hardware-based memory acquisition procedure for digital investigations. International Journal of Digital Evidence (IJDE) I(01), 10–23 (2004)

    Google Scholar 

  4. Farmer, D., Venema, W.: Forensic discovery, 1st edn. Addison-Wesley, Indianapolis (2005)

    Google Scholar 

  5. Carrier, B.D., Spafford, E.H.: Automated digital evidence target definition using outlier analysis and existing evidence. In: Digital Forensic Research Workshop (DFRWS), New Orleans, LA, pp. 62–72 (2005)

    Google Scholar 

  6. Stover, S., Dickerson, M.: Using memory dump in digital forensic; login. The USENIX Magazine 30(6), 43–48 (2005)

    Google Scholar 

  7. Funminiyi, O., Nick, S.: Application level evidence from volatile memory. Journal of Computing in Systems and Engineering II(2), 70–78 (2009)

    Google Scholar 

  8. Case, A., Cristina, A., Marziale, L., Richard, G.G., Roussev, V.: FACE: Automated digital evidence discovery and correlation. Journal of Digital Investigation V(008), 65–75 (2008)

    Article  Google Scholar 

  9. Digital Forensic Research Workshop (DFRWS) (July 2007), http://www.dfrws.org/2007/challenge/index.shtml

  10. Funminiyi, O., Nick, S.: On the extraction of forensically relevant information from physical memory. In: World Congress on Internet Security (WORLDCIS 2011), Technically Co-sponsored by IEEE UK/RI Computer Chapter, London, pp. 248–252 (2011)

    Google Scholar 

  11. Funminiyi, O., Nick, S.: On the identification of information extracted from Windows physical memory. International Journal for Information Security Research (IJISR) II(2) (March 2011) ISSN 2042-4639

    Google Scholar 

  12. Mariusz, B.: Windows memory forensic toolkit; finding digital evidence in physical memory. Journal of Information and Computing Systems 5(2), 45–75 (2007)

    Google Scholar 

  13. Limon, G.G.: Forensic physical memory analysis: an overview of tools and techniques. In: TKK T-110.5290 Seminar on Network Security, Helsinki, Finland, pp. 305–320 (2007)

    Google Scholar 

  14. Msuiche, Msuiche.net at: Capture memory under win2k3 or vista with win32dd (2008), http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-orvista-with-win32dd (accessed March)

  15. Memory, M.: ManTech international corporation. memory dd, http://www.mantech.com/msma/MDD.asp (accessed March 2010)

  16. Russinovich, M.E., Solomon, D.A.: Microsoft Windows internal covering Windows server 2008 and Windows vista, 5th edn. Microsoft Press, Washington (2009)

    Google Scholar 

  17. Agile Risk Management.Nigilat32 small footprint, Agile, http://www.agilerm.net/nigilant32 (accessed October 2009)

  18. Chris, B.: Mempaser analysis tool, memory forensics analysis tool for microsoft Windows systems. In: DFRWS 2005 Forensic Challenge Can be Accessed, MA, pp. 100–115 (2005), http://www.dfrws.org/2005/challenge/memparser.shtml

  19. Volatile Systems. The volatility framework: volatlile memory artifact extraction utility framework (April 2009), Can be accessed at, http://www.volatilesystems.com/default/volatility

  20. Harlan, C., Dave, K.: Windows forensic analysis incident response and cybercrime investigation secrets, 1st edn., vol. III(3), pp. 43–67. Syngress Publishing (July 2007)

    Google Scholar 

  21. Funminiyi, O., Nick, S.: Forensic live response and events reconstruction methods in linux systems. In: PGNET - The Convergence of Telecommunications Networking and Broadcasting, Liverpool, UK, pp. 141–147 (December 2009)

    Google Scholar 

  22. Funminiyi, O., Nick, S.: Dispersal of time aspect of information stored on physical memory. In: Cyberforensic - International Conference on Cybercrime Security and Digital Forensics, Glasgow, UK (2011)

    Google Scholar 

  23. Funminiyi, O., Nick, S.: Digital forensic research and method of extracting relevant information from physical memory of Windows XP. In: Fourth International Conference on Internet Technologies and Applications (ITA11), Wrexam, Wales, UK (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Electronic and Computer Engineering, University of Portsmouth, UK

    Funminiyi Olajide & Nick Savage

Authors
  1. Funminiyi Olajide
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nick Savage
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. London Metropolitan Business School, London Metropolitan Business University, Eden grove - EG4.06, N7 8EA, London, UK

    Ezendu Ariwa

  2. Information Systems Department, King Saud University, 11543, Riyadh, Saudi Arabia

    Eyas El-Qawasmeh

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Olajide, F., Savage, N. (2011). Extraction of User Information by Pattern Matching Techniques in Windows Physical Memory. In: Ariwa, E., El-Qawasmeh, E. (eds) Digital Enterprise and Information Systems. DEIS 2011. Communications in Computer and Information Science, vol 194. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22603-8_40

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-22603-8_40

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-22602-1

  • Online ISBN: 978-3-642-22603-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation