Windows live memory analysis tool with timeframe network repository handling

Date of Publication

2014

Document Type

Bachelor's Thesis

Degree Name

Bachelor of Science in Computer Science

College

College of Computer Studies

Department/Unit

Computer Science

Thesis Adviser

Gregory G. Cu

Abstract/Summary

Forensic analysis is more often done on non-volatile memory than on volatile memory. Traditional forensic analysis in the memory is performed by examining the permanent data preserved in the non-volatile memory which is important so as to track the state of the system. Live analysis deals with a currently running system to obtain data on the present state of the system which is stored on the volatile memory. A lot of data can be observed inside the volatile memory which cannot be seen in other common storage devices, such as the hard drive. Among these data are running and terminated processes, registry information, user domain account credentials, browser history, and other sensitive information. Malicious processes also exist within the memory and can be detected through signature-based detection with the use of Yara scan. These data can be potential pieces of evidence to a forensic investigation that can be retrieved by dumping the memory and storing these in a memory dump file. All of this data is extracted by the system from different sizes of memory ranging from 1GB to 8GB. Based on the resulting processing times, it can be observed that as the size of memory increases the time it takes to process and extract its contents increases as well. Since the extraction of data causes system starvation, a recommended dump time interval is suggested which is equal to the summation of the processing time of each machine in a network.

Abstract Format

html

Language

English

Format

Print

Accession Number

TU18422

Shelf Location

Archives, The Learning Commons, 12F, Henry Sy Sr. Hall

Physical Description

1 v., various foliations ; 28 cm.

This document is currently not available here.

Share

COinS