Abstract
There have been few investigations into the amount of relevant information that can be recovered from the physical memory of Windows applications. Extraction of user information is vital in today’s digital investigation and forensic investigators find it helpful to gain access to dispersal evidence stored over time in the physical memory of these applications. In this research, we present the quantitative and qualitative results of experiments carried out on the extraction of forensically relevant information from Windows computer systems. This process involves a pattern matching techniques of the original user input and the extracted memory dump strings processes. In conducting this research; we have identified the most commonly used applications on Windows systems, designed a methodology to capture data and processed that data. This research will report the amount of evidence dispersed over time in the physical memory when the application was running and user is not interacting with the system.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Petroni Jr., N.L., Walters, A., Fraser, T., Arbaugh, W.A.: FATKit: A framwork for the extraction and analysis of digital forenisc from volatile sysytem memory. Journal of Digital Investigation III(001), 197–210 (2006)
Farmer, D., Venema, W.: The coroner’s toolkit, TCT (August 2004), http://www.porcupine.org/forensics/tct.html
Carrier, B.D., Grand, J.: A hardware-based memory acquisition procedure for digital investigations. International Journal of Digital Evidence (IJDE) I(01), 10–23 (2004)
Farmer, D., Venema, W.: Forensic discovery, 1st edn. Addison-Wesley, Indianapolis (2005)
Carrier, B.D., Spafford, E.H.: Automated digital evidence target definition using outlier analysis and existing evidence. In: Digital Forensic Research Workshop (DFRWS), New Orleans, LA, pp. 62–72 (2005)
Stover, S., Dickerson, M.: Using memory dump in digital forensic; login. The USENIX Magazine 30(6), 43–48 (2005)
Funminiyi, O., Nick, S.: Application level evidence from volatile memory. Journal of Computing in Systems and Engineering II(2), 70–78 (2009)
Case, A., Cristina, A., Marziale, L., Richard, G.G., Roussev, V.: FACE: Automated digital evidence discovery and correlation. Journal of Digital Investigation V(008), 65–75 (2008)
Digital Forensic Research Workshop (DFRWS) (July 2007), http://www.dfrws.org/2007/challenge/index.shtml
Funminiyi, O., Nick, S.: On the extraction of forensically relevant information from physical memory. In: World Congress on Internet Security (WORLDCIS 2011), Technically Co-sponsored by IEEE UK/RI Computer Chapter, London, pp. 248–252 (2011)
Funminiyi, O., Nick, S.: On the identification of information extracted from Windows physical memory. International Journal for Information Security Research (IJISR) II(2) (March 2011) ISSN 2042-4639
Mariusz, B.: Windows memory forensic toolkit; finding digital evidence in physical memory. Journal of Information and Computing Systems 5(2), 45–75 (2007)
Limon, G.G.: Forensic physical memory analysis: an overview of tools and techniques. In: TKK T-110.5290 Seminar on Network Security, Helsinki, Finland, pp. 305–320 (2007)
Msuiche, Msuiche.net at: Capture memory under win2k3 or vista with win32dd (2008), http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-orvista-with-win32dd (accessed March)
Memory, M.: ManTech international corporation. memory dd, http://www.mantech.com/msma/MDD.asp (accessed March 2010)
Russinovich, M.E., Solomon, D.A.: Microsoft Windows internal covering Windows server 2008 and Windows vista, 5th edn. Microsoft Press, Washington (2009)
Agile Risk Management.Nigilat32 small footprint, Agile, http://www.agilerm.net/nigilant32 (accessed October 2009)
Chris, B.: Mempaser analysis tool, memory forensics analysis tool for microsoft Windows systems. In: DFRWS 2005 Forensic Challenge Can be Accessed, MA, pp. 100–115 (2005), http://www.dfrws.org/2005/challenge/memparser.shtml
Volatile Systems. The volatility framework: volatlile memory artifact extraction utility framework (April 2009), Can be accessed at, http://www.volatilesystems.com/default/volatility
Harlan, C., Dave, K.: Windows forensic analysis incident response and cybercrime investigation secrets, 1st edn., vol. III(3), pp. 43–67. Syngress Publishing (July 2007)
Funminiyi, O., Nick, S.: Forensic live response and events reconstruction methods in linux systems. In: PGNET - The Convergence of Telecommunications Networking and Broadcasting, Liverpool, UK, pp. 141–147 (December 2009)
Funminiyi, O., Nick, S.: Dispersal of time aspect of information stored on physical memory. In: Cyberforensic - International Conference on Cybercrime Security and Digital Forensics, Glasgow, UK (2011)
Funminiyi, O., Nick, S.: Digital forensic research and method of extracting relevant information from physical memory of Windows XP. In: Fourth International Conference on Internet Technologies and Applications (ITA11), Wrexam, Wales, UK (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Olajide, F., Savage, N. (2011). Extraction of User Information by Pattern Matching Techniques in Windows Physical Memory. In: Ariwa, E., El-Qawasmeh, E. (eds) Digital Enterprise and Information Systems. DEIS 2011. Communications in Computer and Information Science, vol 194. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22603-8_40
Download citation
DOI: https://doi.org/10.1007/978-3-642-22603-8_40
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22602-1
Online ISBN: 978-3-642-22603-8
eBook Packages: Computer ScienceComputer Science (R0)