Hhhh
Páginas: 98 (24389 palabras)
Publicado: 8 de diciembre de 2011
Forensic Analysis of Physical Memory and Page File
Hameed Iqbal
Master’s Thesis Master of Science in Information Security 30 ECTS Department of Computer Science and Media Technology Gjøvik University College, 2009
Avdeling for informatikk og medieteknikk Høgskolen i Gjøvik Postboks 191 2802 Gjøvik
Department of Computer Science and Media Technology Gjøvik University College Box 191N-2802 Gjøvik Norway
Forensic Analysis of Physical Memory and Page File
Hameed Iqbal 2nd November 2009
Abstract With the passage of time, the field of computer forensics is maturing and the traditional methodology of disk forensics has now become a standard. In the same manner volatile data forensics is also getting serious attention from forensic investigators and researchers. Physicalmemory is an integral part of volatile data forensics. It can provide a forensic examiner with wealth of information like passwords, encrypted keys, typed commands, web addresses, shared and executable files, currently running processes and terminated processes, open ports and active connections. This thesis explores the forensic analysis of physical memory and page file in search of sensitive data usingthe currently available tools. Experiments are carried out in virtual environment on Windows XP operating system. The immediate purpose of this thesis is to study the impact of increased memory size, operating system and applications on the retention of sensitive data in today’s computers. We will also explore the capabilities and limitations of the currently available tools for the acquisitionand analysis of memory and page file.
Forensic Analysis of Physical Memory and Page File
Acknowledgements
I wish to extend my deepest gratitude to some people who helped me in the completion of this thesis work. First of all I am thankful to Almighty Allah for giving me the ability and strength to contribute to the service of humanity in the shape of this research work. Then I would like tosay many thanks to my supervisor Andre Årnes for his continuous support and encouragement during this whole research work. I am also thankful to my friends for their encouragement. Last but not the least I am thankful to my family and those special people who are away from me but their endless prayers and support enabled me to undertake this thesis work. I would like to dedicate this researchwork to the Higher Education Commission (HEC) of Pakistan for financing my research work in Norway. Hameed Iqbal November 02, 2009
iii
Forensic Analysis of Physical Memory and Page File
Contents
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . List of Figures . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Topic Covered by the Project . . . . . . . . . . . . . . . . . . . 1.2 Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Problem Description . . . . . . . . . . . . . . . . . . . . . . . 1.4 Research Questions . . . . . . . . . . . . . . . . . . . . . . . . 1.5 PlannedContributions . . . . . . . . . . . . . . . . . . . . . . 1.6 Research Method . . . . . . . . . . . . . . . . . . . . . . . . . 1.7 Research Limitations . . . . . . . . . . . . . . . . . . . . . . . 1.8 Outline of the rest of the Report . . . . . . . . . . . . . . . . . 2 Science of Digital Forensics . . . . . . . . . . . . . . . . . . . . . 2.1 Digital Forensics . . . . . . . . . . . . . . . . .. . . . . . . . 2.1.1 Internet Forensics . . . . . . . . . . . . . . . . . . . . . 2.1.2 Network Forensics . . . . . . . . . . . . . . . . . . . . 2.1.3 Computer Forensics . . . . . . . . . . . . . . . . . . . 2.2 Digital Investigation Process Models . . . . . . . . . . . . . . 2.3 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Physical Memory Forensics . . . . . . . . ....
Hameed Iqbal
Master’s Thesis Master of Science in Information Security 30 ECTS Department of Computer Science and Media Technology Gjøvik University College, 2009
Avdeling for informatikk og medieteknikk Høgskolen i Gjøvik Postboks 191 2802 Gjøvik
Department of Computer Science and Media Technology Gjøvik University College Box 191N-2802 Gjøvik Norway
Forensic Analysis of Physical Memory and Page File
Hameed Iqbal 2nd November 2009
Abstract With the passage of time, the field of computer forensics is maturing and the traditional methodology of disk forensics has now become a standard. In the same manner volatile data forensics is also getting serious attention from forensic investigators and researchers. Physicalmemory is an integral part of volatile data forensics. It can provide a forensic examiner with wealth of information like passwords, encrypted keys, typed commands, web addresses, shared and executable files, currently running processes and terminated processes, open ports and active connections. This thesis explores the forensic analysis of physical memory and page file in search of sensitive data usingthe currently available tools. Experiments are carried out in virtual environment on Windows XP operating system. The immediate purpose of this thesis is to study the impact of increased memory size, operating system and applications on the retention of sensitive data in today’s computers. We will also explore the capabilities and limitations of the currently available tools for the acquisitionand analysis of memory and page file.
Forensic Analysis of Physical Memory and Page File
Acknowledgements
I wish to extend my deepest gratitude to some people who helped me in the completion of this thesis work. First of all I am thankful to Almighty Allah for giving me the ability and strength to contribute to the service of humanity in the shape of this research work. Then I would like tosay many thanks to my supervisor Andre Årnes for his continuous support and encouragement during this whole research work. I am also thankful to my friends for their encouragement. Last but not the least I am thankful to my family and those special people who are away from me but their endless prayers and support enabled me to undertake this thesis work. I would like to dedicate this researchwork to the Higher Education Commission (HEC) of Pakistan for financing my research work in Norway. Hameed Iqbal November 02, 2009
iii
Forensic Analysis of Physical Memory and Page File
Contents
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . List of Figures . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 Topic Covered by the Project . . . . . . . . . . . . . . . . . . . 1.2 Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Problem Description . . . . . . . . . . . . . . . . . . . . . . . 1.4 Research Questions . . . . . . . . . . . . . . . . . . . . . . . . 1.5 PlannedContributions . . . . . . . . . . . . . . . . . . . . . . 1.6 Research Method . . . . . . . . . . . . . . . . . . . . . . . . . 1.7 Research Limitations . . . . . . . . . . . . . . . . . . . . . . . 1.8 Outline of the rest of the Report . . . . . . . . . . . . . . . . . 2 Science of Digital Forensics . . . . . . . . . . . . . . . . . . . . . 2.1 Digital Forensics . . . . . . . . . . . . . . . . .. . . . . . . . 2.1.1 Internet Forensics . . . . . . . . . . . . . . . . . . . . . 2.1.2 Network Forensics . . . . . . . . . . . . . . . . . . . . 2.1.3 Computer Forensics . . . . . . . . . . . . . . . . . . . 2.2 Digital Investigation Process Models . . . . . . . . . . . . . . 2.3 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Physical Memory Forensics . . . . . . . . ....
Leer documento completo
Regístrate para leer el documento completo.