A novel methodology for windows 7 × 64 memory forensics

Abstract

Due to the ever increasing growth rate of malwares, Memory Forensics has become unavoidable in a cyber crime investigation. This is because physical memory may contain crucial information that is available nowhere in the system hard disk. Memory Forensics deals with collection of forensically sound evidence from physical memory content of Suspect's system. This is a fast growing and challenging field in computer forensics where a live forensic methodology is adopted in order to acquire physical memory content. Analysis of the collected memory dump is very difficult due to the complex data structures in it, especially in Windows ×64 systems. Also, the complexity involved in 64-bit address translation makes the analysis tougher. This translation can be done only after finding an artifact called Directory Table Base (DTB). Even though there are few methods available for finding DTB, none is efficient for adopting in a memory analysis tool. In this paper, a novel methodology for finding DTB in a 64-bit Windows system is described in detail. The paper also explains algorithms for retrieving forensically relevant information like running processes and its associated details from physical memory dump collected from Windows7 × 64 machines.