Abstract
Digital forensic data from volatile system memory possesses the following distinctive features: volatility, transience, phased stability, complexity, relevance of collected data, and phased behavior predictability. We present a computer forensic analysis model (CERM) for the reconstruction of a chain of evidence of volatile memory data. CERM frees analysts from being confined to the traditional analysis approach of digital forensic data that requires single evidence-oriented analysis. In CERM, they can focus on higher abstract levels involving the relationships of independent pieces of evidence and analyze patterns to construct a chain of evidence from the perspective of Evidence Law. In addition to CERM, we have designed a correlation analysis algorithm based on time series. Experimental tests have been conducted to verify the established model and designed algorithm. The experimental result shows that CERM is feasible and efficient, thus providing a new analysis perspective for digital forensic data from volatile system memory.
Similar content being viewed by others
References
Chambers J, Yan W, Garhwal A, Kankanhalli M (2014) Multimedia tools and applications, pp 1–31. doi:10.1007/s11042-013-1809-x
Chu HC, Yang SW, Park JH (2012) Secur Commun Netw 5(10):1193. doi:10.1002/sec.511. <GotoISI>://WOS:000309238700013
Garfinkel SL (2010) Digit Investig 7:S64. doi:10.1016/j.diin.2010.05.009. <GotoISI>://WOS:000281010700009
Hasan R, Mahmood S, Raghav A (2012) In: Proceedings of the 2012 UKACC International conference on control, CONTROL 2012. IEEE Computer Society, pp 400–403. doi:10.1109/CONTROL.2012.6334663
Lee S, Shon T (2014) Mob Netw Appl 19(3):382. doi:10.1007/s11036-014-0504-0. <GotoISI>://WOS:000338530300010
Okolica JS, Peterson GL (2011) Comput Secur 30(8):770. doi:10.1016/j.cose.2011.08.001. <GotoISI>://WOS:000298072100015
Olajide F, Savage N (2011) In: Proceedings of the 4th International conference on internet technologies and applications, ITA 11. Glyndwr University, pp 229–235
Olajide F, Savage N, Akmayeva G, Trafford R (2012) In: 7th international conference for internet technology and secured transactions, ICITST 2012. IEEE Computer Society, pp 715–718
Qian ZX, Zhang XP (2014) J Syst Softw 91:100. doi:10.1016/j.jss.2013.12.043. <GotoISI>://WOS:000334001600007
Satpathy S, Pradhan SK, Ray BNB (2014) In: 1st international conference on intelligent computing, communication and devices, ICCD 2014, April 18, 2014–April 19, 2014, Advances in Intelligent Systems and Computing, vol. 309 AISC. Springer, pp 367–376. doi:10.1007/978-81-322-2009-1_42
Seo J, Lee S, Shon T (2013) Peer-to-Peer networking and applications, pp 1–10. doi:10.1007/s12083-013-0217-3
Stuettgen J, Cohen M (2013). Digit Investig 10:S105. doi:10.1016/j.diin.2013.06.012. <GotoISI>://WOS:000342571600013
Thomas S, Sherly KK, Dija S (2013) In: 2013 IEEE conference on information and communication technologies, ICT 2013. IEEE Computer Society, pp 937–942. doi:10.1109/CICT.2013.6558230
Vomel S, Stuttgen J (2013) In: The proceedings of the thirteenth annual DFRWS conference 13th annual digital forensics research conference, digital investigation, vol. 10. Elsevier Ltd, pp S30–S40. doi:10.1016/j.diin.2013.06.004
Zhang YP, Xiao Y, Ghaboosi K, Zhang JY, Deng HM (2012) Secur Commun Netw 5(4):422. doi:10.1002/sec.331. <GotoISI>://WOS:000301489900008
Acknowledgments
This work is funded by European Framework Program (FP7) under Grant No. FP7-PEOPLE-2011-IRSES, National Natural Science Foundation of China under Grant No. 61073009 & 61103197, National High Tech R&D Program 863 of China under Grant No. 2011AA010101, National Sci-Tech Support Plan of China under Grant No. 2014BAH02F03, National Sci-Tech Major Projects of China under Grant No. SinoProbe-09-01-03 & 2012ZX01039-004-04-3, Key Sci-Tech Program of Jilin Province of China under Grant No. 2011ZDGG007 & 20150204035GX, and Fundamental Research Funds for Central Universities of China under Grant No. JCKY-QKJC46 & 2412015KJ005.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Wang, F., Hu, L., Hu, J. et al. Computer forensic analysis model for the reconstruction of chain of evidence of volatile memory data. Multimed Tools Appl 75, 10097–10107 (2016). https://doi.org/10.1007/s11042-015-2798-8
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-015-2798-8