Skip to main content
SpringerLink
Log in

Computer forensic analysis model for the reconstruction of chain of evidence of volatile memory data

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

Digital forensic data from volatile system memory possesses the following distinctive features: volatility, transience, phased stability, complexity, relevance of collected data, and phased behavior predictability. We present a computer forensic analysis model (CERM) for the reconstruction of a chain of evidence of volatile memory data. CERM frees analysts from being confined to the traditional analysis approach of digital forensic data that requires single evidence-oriented analysis. In CERM, they can focus on higher abstract levels involving the relationships of independent pieces of evidence and analyze patterns to construct a chain of evidence from the perspective of Evidence Law. In addition to CERM, we have designed a correlation analysis algorithm based on time series. Experimental tests have been conducted to verify the established model and designed algorithm. The experimental result shows that CERM is feasible and efficient, thus providing a new analysis perspective for digital forensic data from volatile system memory.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

References

  1. Chambers J, Yan W, Garhwal A, Kankanhalli M (2014) Multimedia tools and applications, pp 1–31. doi:10.1007/s11042-013-1809-x

  2. Chu HC, Yang SW, Park JH (2012) Secur Commun Netw 5(10):1193. doi:10.1002/sec.511. <GotoISI>://WOS:000309238700013

    Article  Google Scholar 

  3. Garfinkel SL (2010) Digit Investig 7:S64. doi:10.1016/j.diin.2010.05.009. <GotoISI>://WOS:000281010700009

    Article  Google Scholar 

  4. Hasan R, Mahmood S, Raghav A (2012) In: Proceedings of the 2012 UKACC International conference on control, CONTROL 2012. IEEE Computer Society, pp 400–403. doi:10.1109/CONTROL.2012.6334663

  5. Lee S, Shon T (2014) Mob Netw Appl 19(3):382. doi:10.1007/s11036-014-0504-0. <GotoISI>://WOS:000338530300010

    Article  Google Scholar 

  6. Okolica JS, Peterson GL (2011) Comput Secur 30(8):770. doi:10.1016/j.cose.2011.08.001. <GotoISI>://WOS:000298072100015

    Article  Google Scholar 

  7. Olajide F, Savage N (2011) In: Proceedings of the 4th International conference on internet technologies and applications, ITA 11. Glyndwr University, pp 229–235

  8. Olajide F, Savage N, Akmayeva G, Trafford R (2012) In: 7th international conference for internet technology and secured transactions, ICITST 2012. IEEE Computer Society, pp 715–718

  9. Qian ZX, Zhang XP (2014) J Syst Softw 91:100. doi:10.1016/j.jss.2013.12.043. <GotoISI>://WOS:000334001600007

    Article  Google Scholar 

  10. Satpathy S, Pradhan SK, Ray BNB (2014) In: 1st international conference on intelligent computing, communication and devices, ICCD 2014, April 18, 2014–April 19, 2014, Advances in Intelligent Systems and Computing, vol. 309 AISC. Springer, pp 367–376. doi:10.1007/978-81-322-2009-1_42

  11. Seo J, Lee S, Shon T (2013) Peer-to-Peer networking and applications, pp 1–10. doi:10.1007/s12083-013-0217-3

  12. Stuettgen J, Cohen M (2013). Digit Investig 10:S105. doi:10.1016/j.diin.2013.06.012. <GotoISI>://WOS:000342571600013

    Article  Google Scholar 

  13. Thomas S, Sherly KK, Dija S (2013) In: 2013 IEEE conference on information and communication technologies, ICT 2013. IEEE Computer Society, pp 937–942. doi:10.1109/CICT.2013.6558230

  14. Vomel S, Stuttgen J (2013) In: The proceedings of the thirteenth annual DFRWS conference 13th annual digital forensics research conference, digital investigation, vol. 10. Elsevier Ltd, pp S30–S40. doi:10.1016/j.diin.2013.06.004

  15. Zhang YP, Xiao Y, Ghaboosi K, Zhang JY, Deng HM (2012) Secur Commun Netw 5(4):422. doi:10.1002/sec.331. <GotoISI>://WOS:000301489900008

    Article  Google Scholar 

Download references

Acknowledgments

This work is funded by European Framework Program (FP7) under Grant No. FP7-PEOPLE-2011-IRSES, National Natural Science Foundation of China under Grant No. 61073009 & 61103197, National High Tech R&D Program 863 of China under Grant No. 2011AA010101, National Sci-Tech Support Plan of China under Grant No. 2014BAH02F03, National Sci-Tech Major Projects of China under Grant No. SinoProbe-09-01-03 & 2012ZX01039-004-04-3, Key Sci-Tech Program of Jilin Province of China under Grant No. 2011ZDGG007 & 20150204035GX, and Fundamental Research Funds for Central Universities of China under Grant No. JCKY-QKJC46 & 2412015KJ005.

Author information

Authors and Affiliations

  1. College of Computer Science and Technology, Jilin University, Changchun, 130012, China

    Feng Wang, Liang Hu, Jiejun Hu & Kuo Zhao

Authors
  1. Feng Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Liang Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jiejun Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kuo Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kuo Zhao.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wang, F., Hu, L., Hu, J. et al. Computer forensic analysis model for the reconstruction of chain of evidence of volatile memory data. Multimed Tools Appl 75, 10097–10107 (2016). https://doi.org/10.1007/s11042-015-2798-8

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-015-2798-8

Keywords

Search

Navigation