Total views : 247
Memory Forensics: Tools and Techniques
Objectives: To evaluate the performance of different tools that acquire, analyze and recover the evidences of crime from volatile memory. A comparison between different tools is presented with the aim of generating better understanding of the tools employed. Methods: Volatile memory stays for a very short period and that is why it is always hard to analyze such memory. It contains much useful information such as passwords, usernames, running processes, etc. Acquiring, analyzing and recovering are the three major steps for memory forensics. Experiments are performed with different tools to understand the procedure of acquiring, analyzing and recovering important evidences. Findings: The strengths and drawbacks of all the tools are analyzed that providesa better understanding of the working of the tools in specific scenarios. The tools like FtkImager and Belkasoft represent the data as a tree structure which makes it difficult to analyze the data. All the tools investigated are not entirely fitted for a particular situation hence; the investigation needs to rely on many tools that can retrieve useful information from the evidences. It is important to know the usefulness of a tool before it is applied to solve a crime. Although most of the tools are successful in providing reasonable evidence, no single tool is sufficient to complete the investigation. Improvements: Most of the tools work as passive agents that is it is left to the discretion of the investigator to analyze the evidences collected through different tools. The tools can be improved by combining it with machine learning techniques. This paper also discusses the improvements that can be done in order to make the working of the tools easier and yielding better results.
Acquisition Memory Tools, Analyzing Memory Tools, Digital Forensics, Live Analysis, Memory Forensics, Recovering Memory Tools.
- Reith M, Carr C, Gunsch G. An examination of Digital Forensics Models. International Journal of Digital Evidence.2002; 1(3):1–12.
- Dave R, Mistry NR, Dahiya MS. Volatile Memory Based Forensic Artifacts and Analysis. International Journal for Research in Applied Science and Engineering Technology.2014: 2(1):120–4.
- Microsoft Corporation. Bitlocker drive encryption. 2016 August 30. Available from: http://technet.microsoft.com/ en-us/library/cc73154928WS.1029.aspx.
- Saout C. dm-crypt: A device-mapper crypto targe. 2016 September 05. Available from http://www.saout.de/misc/ dm-crypt/.
- Hay B, Nance K, Bishop M. Live analysis: Progress and Challenges. IEEE Security and Privacy. 2009:7(2):30–7.
- Wang L, Zhang R, Zhang S. A model of computer live forensics based on physical memory analysis. Proceedings of 1st IEEE International Conference on Information Science and Engineering (ICISE). 2009. p. 4647–9.
- Aljaedi A, Lindskog D, Zavarsky P, Ruhl R, Almari F.Comparative Analysis of Volatile Memory Forensics: Live Response vs. Memory Imaging. Proceedings of 3rd IEEE International Conference on Privacy, Security, Risk and Trust. 2011.p. 1253–8.
- Petroni NL,Walters A, Fraser T, Arbaugh WA. FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory. Digital Investigation.2006;3(4): 197–210.
- Gianni F, Solinas F. Live Digital Forensics: Windows XP vs Windows 7. Proceedings of 2nd IEEE International Conference on Informatics and Applications (ICIA). 2013. p. 1–6.
- Balogh S, Pondelik M. Capturing encryption keys for digital analysis. Proceedings of 6th International Conference on Intelligent Data Acquisition and Advanced Computing Systems (IDAACS). 2011. 2, p. 759–63.
- Savold A, Gubian P. Towards the virtual memory space reconstruction for windows live forensic purposes, Proceedings of 3rd IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering. 2008. p.15–22.
- Carrier BD. Risks of live digital forensic analysis. Communications of the ACM. 2006; 49(2): 56–61.
- Meera V, Isaac MM, Balan C. Forensic acquisition and analysis of VMware virtual machine artifacts. Proceedings of IEEE Automation, Computing, Communication, Control and Compressed Sensing (iMac4s). 2013. p. 255–9.
- Agarwal N, Gaur D. Classification of crime data using Rapid Miner. International Journal of Applied Engineering Research.2015; 10(5): 27517–21.
- Chhikara RR, Sharma P, Singh L. A hybrid feature selection approach based on improved PSO and filter approaches for image steganalysis. International Journal of Machine Learning and Cybernetics. 2015; 7(6):1195–206.
- Shenbagarajan A, Ramalingam V, Balasubramanian C, Palanivel S. Tumor diagnosis in MRI brain image using ACM Segmentation and ANN-LM classification techniques, Indian Journal of Science and Technology. 2016 Jan; 9(1): 1–12.
- Sajana T, Sheela Rani CM, Narayana KV. A Survey on clustering techniques for Big Data mining. Indian Journal of Science and Technology. 2016 Jan; 9(3):
- Hamid HM S, Shafie AL M, Yahaya C, Muhammad A S. An appraisal of meta-heuristic resource allocation techniques for IaaS Cloud. Indian Journal of Science and Technology.2016 Jan; 9(4):1–12.
- Deevi R. R, Sk. Nazma S, Pasala L. S. Challenges of Digital Forensics in Cloud Computing Environment, Indian Journal of Science and Technology. 2016 May; 9(17):1–7.
- Sungjin L, Sunghyuck H. Analysis of Time Records on Digital forensics. Indian Journal of Science and Technology.2015 Apr; 8(S7):365–72.
- Belkasoft tool. 2016 August 03. Available from: https:// belkasoft.com/ec.
- Ftkimager tool. 2016 August 24. Available from: https://accessdata.com/product-download/digital-forensics/ftk-imagerversion-3.2.0.
- Memoryze tool. 2016 September 17. Available from: https:// www.fireeye.com/services/freeware/memoryze.html.
- Dumpit tool.2016 October 27. Available from: http://qpdownload.com/dumpit.
- Wxhexeditor tool.2016 August 25. Available from: https:// sourceforge.net/projects/wxhexeditor/.
- Autopsy tool. 2016 Sep 25. Available from: http://www.sleuthkit.org/autopsy/download.php.
- There are currently no refbacks.
This work is licensed under a Creative Commons Attribution 3.0 License.