{"title":"Towards the Virtual Memory Space Reconstruction for Windows Live Forensic Purposes","authors":"Antonio Savoldi, P. Gubian","doi":"10.1109/SADFE.2008.21","DOIUrl":null,"url":null,"abstract":"The aim of this paper is to demonstrate the usefulness of the pagefile in a live forensic context. The forensic science is striving to find new methodologies to analyze the massive quantity of data normally present in a medium-sized workstation, which can have up to several terabytes of storage devices. As a result, the live forensic approach seems to be the only one which can guarantee promptness in obtaining evidential data to be used in the investigative process. The current approach of volatile forensic analysis does not consider the pagefile as an important element to be used in the analysis. Therefore, we have developed a solution which permits to correlate evidential data within the pagefile to the relative process located in the RAM dump. This work can be considered a natural extension of our previous work on this topic.","PeriodicalId":391486,"journal":{"name":"2008 Third International Workshop on Systematic Approaches to Digital Forensic Engineering","volume":"35 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2008-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2008 Third International Workshop on Systematic Approaches to Digital Forensic Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SADFE.2008.21","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 12
Abstract
The aim of this paper is to demonstrate the usefulness of the pagefile in a live forensic context. The forensic science is striving to find new methodologies to analyze the massive quantity of data normally present in a medium-sized workstation, which can have up to several terabytes of storage devices. As a result, the live forensic approach seems to be the only one which can guarantee promptness in obtaining evidential data to be used in the investigative process. The current approach of volatile forensic analysis does not consider the pagefile as an important element to be used in the analysis. Therefore, we have developed a solution which permits to correlate evidential data within the pagefile to the relative process located in the RAM dump. This work can be considered a natural extension of our previous work on this topic.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
