On the Identification of Information Extracted from Windows Physical Memory

Forensic investigation of the physical memory of computer systems is gaining the attention of experts in the digital forensics community. Forensic investigators find it helpful to seize and capture data from the physical memory and perform post-incident analysis when identifying potential evidence. However, there have been few investigations which have identified the quantity and quality of information that can be recovered from only the computer system memory (RAM) while the application is still running. In this paper, we present the results of investigations carried out to identify relevant information that has been extracted from the physical memory of computer systems running Windows XP. We found fragments of partial evidence from allocated memory segments. This evidence was dispersed in the physical memory that had been allocated to the application. The identification of this information is useful to forensic investigators as this approach can uncover what a user is doing on the application which can be used as evidence

Forensic memory evidence of Windows application

In modern digital investigations, forensic sensitive information can be gathered from the physical memory of computer systems. Digital forensic community feels the urge towards accurate data collection, preservation, examination, validation, data analysis and presentation. This investigative process has become an essential part of digital investigation. The extraction of forensically relevant evidence from the physical memory can reveals users' actions. This research will report the amount of evidence that can be extracted and how the evidence changes with the length of time that the system is switched on and the application is still opened. In this experiment, the quantitative assessment of user input on the most commonly used applications will be presented

Forensic investigation and analysis of user input information in business application

Objectives: This paper investigates the amount of user input that can be recovered from the volatile memory of Windows computer systems while an application is still running. Additionally, an investigation into temporal, functional analysis and event reconstruction of user input activities in business application is discussed and reported upon. Methods/Analysis: Forensically, relevant user information is suitable for an evidentiary purpose. Therefore, the qualitative assessment of user input on commonly used windows-based applications is presented. Findings: In this research, detailed emphasis has been laid on the quality of evidence recovered from the allocated line numbers of the application memory. This approach describes the process of securing digital evidence for investigators. The research uncovers the process of analysing the forensically relevant data recovered from Windows applications. The investigation comprises of the following; dumping of memory, data extraction, strings evidence strings conversion, result finding of the evidence and also, reconstructing the extracted evidence of user information. Applications/Improvement: This research focuses on digital forensic investigation of digital images captured and the memory analysis of user information on using some very popular windows-based applications. It is aimed that this may become part of forensic analysis in digital investigations

On the analysis of information found on Windows application memory

Digital forensic community feels the urge for the development of tools and techniques in volatile memory analysis. The extraction of user input from physical memory of Windows applications may reveal useful information that could be used as evidence in crime cases; the information that may not be found on traditional hard disk forensic investigations. However, there have been few digital investigations into the amount of user input recovered from Windows application memory. This paper presents on the analysis of user input stored on an application, and the forensically relevant information recovered from the memory of some commonly used Windows applications. Quantitative results of the experiments carried out on these applications will be presented

On the identification of information extracted from Windows physical memory

Forensic investigation of the physical memory of computer systems is gaining the attention of experts in the digital forensics community. Forensic investigators find it helpful to seize and capture data from the physical memory and perform post-incident analysis when identifying potential evidence. However, there have been few investigations which have identified the quantity and quality of information that can be recovered from only the computer system memory (RAM) while the application is still running. In this paper, we present the results of investigations carried out to identify relevant information that has been extracted from the physical memory of computer systems running Windows XP. We found fragments of partial evidence from allocated memory segments. This evidence was dispersed in the physical memory that had been allocated to the application. The identification of this information is useful to forensic investigators as this approach can uncover what a user is doing on the application which can be used as evidence

Forensic extraction of user information in continuous block of evidence

Extraction of user information in the physical memory of Windows application is vital in today's digital investigation. Digital forensic community feels the urge for the development of tools and techniques in volatile memory analysis. However, there have been few investigations into the amount of relevant information that can be recovered from the application memory. In this research, we present the quantitative and qualitative results of experiments carried out on Windows applications. In conducting this research; we have identified the most commonly used applications on Windows systems, designed a methodology to capture data and processed that data. This research report the amount of evidence that was stored over time and recovered in continuous block of evidence in the physical memory

Identifying and finding forensic evidence from Windows application

This paper presents the method of identifying and finding forensic evidence from the volatile memory of Windows computer systems. This is a scenario-based investigation on what amount of user input can be recovered when application is opened and images are captured at set interval while Windows system is still actively running. This approach of digital investigation revealed the extracted evidence of user input stored and as dispersed on the application memory of Windows system. In this experiment, the result shows a coherent view of user input on some commonly used applications with over 39% of user input stored on MS Access and 44% was stored on Excel. The quantitative assessment of user input will be presented on the basis of the repeated number of user input recovered, the percentage of user input found and the length of evidence found in a continuous block of the application memory

Windows Memory Forensic Data Visualization

Modern criminal investigators face an increasing number of computer-related crimes that require the application of digital forensic science. The major challenge facing digital forensics practitioners is the complicated task of acquiring an understanding of the digital data residing in electronic devices. Currently, this task requires significant experience and background to correctly aggregate the data their tools provide from the digital artifacts. Most of the tools available present their results in text files or tree lists. It is up to the practitioner to mentally capture a global understanding of the state of the device at the time of seizure and find the items of evidentiary interest. This research focuses on the application of Information Visualization techniques to improve the analysis of digital forensic evidence from Microsoft Windows memory captures. The visualization tool developed in this work presents both global and local views of the evidence based on user interactions with the graphics. The resulting visualizations provide the necessary details for verifying digital artifacts and assists in locating additional items of relevance. This proof-of-concept model can be modified to support various digital forensic target platforms including Mac OS X, Linux, and Android

A comparison of forensic evidence recovery techniques for a windows mobile smart phone

<p>Acquisition, decoding and presentation of information from mobile devices is complex and challenging. Device memory is usually integrated into the device, making isolation prior to recovery difficult. In addition, manufacturers have adopted a variety of file systems and formats complicating decoding and presentation.</p> <p>A variety of tools and methods have been developed (both commercially and in the open source community) to assist mobile forensics investigators. However, it is unclear to what extent these tools can present a complete view of the information held on a mobile device, or the extent the results produced by different tools are consistent.</p> <p>This paper investigates what information held on a Windows Mobile smart phone can be recovered using several different approaches to acquisition and decoding. The paper demonstrates that no one technique recovers all information of potential forensic interest from a Windows Mobile device; and that in some cases the information recovered is conflicting.</p&gt

Procedures and tools for acquisition and analysis of volatile memory on android smartphones

Mobile phone forensics have become more prominent since mobile phones have become ubiquitous both for personal and business practice. Android smartphones show tremendous growth in the global market share. Many researchers and works show the procedures and techniques for the acquisition and analysis the non-volatile memory inmobile phones. On the other hand, the physical memory (RAM) on the smartphone might retain incriminating evidence that could be acquired and analysed by the examiner. This study reveals the proper procedure for acquiring the volatile memory inthe Android smartphone and discusses the use of Linux Memory Extraction (LiME) for dumping the volatile memory. The study also discusses the analysis process of the memory image with Volatility 2.3, especially how the application shows its capability analysis. Despite its advancement there are two major concerns for both applications. First, the examiners have to gain root privileges before executing LiME. Second, both applications have no generic solution or approach. On the other hand, currently there is no other tool or option that might give the same result as LiME and Volatility 2.3