User data persistence in physical memory

In this paper we present the results of experiments we conducted on Suse Linux and Windows XP systems to determine the age of user process data in physical memory. To be able to measure the age of pages we used an artificial load program which time-stamps data segment and block device cache pages. Our goal was to compare the behaviour of both systems and to determine whether the rate of decay for user data depends on the demand for physical memory. Our findings show that Windows and Linux systems preserve almost the same number of pages with user data, and the age distribution of these pages does not change significantly with the level of demand.     

Extracting Windows command line details from physical memory

Current memory forensic tools concentrate mainly on system-related information like processes and sockets. There is a need for more memory forensic techniques to extract user-entered data retained in various Microsoft Windows applications such as the Windows command prompt. The command history is a prime source of evidence in many intrusions and other computer crimes, revealing important details about an offender’s activities on the subject system. This paper dissects the data structures of the command prompt history and gives forensic practitioners a tool for reconstructing the Windows command history from a Windows XP memory capture. At the same time, this paper demonstrates a methodology that can be generalized to extract user-entered data on other versions of Windows.     

Extraction of forensically sensitive information from windows physical memory

Forensic analysis of physical memory is gaining good attention from experts in the community especially after recent development of valuable tools and techniques. Investigators find it very helpful to seize physical memory contents and perform post-incident analysis of this potential evidence. Most of the research carried out focus on enumerating processes and threads by accessing memory resident objects. To collect case-sensitive information from the extracted memory content, the existing techniques usually rely on string matching. The most important contribution of the paper is a new technique for extracting sensitive information from physical memory. The technique is based on analyzing the call stack and the security sensitive APIs. It allows extracting sensitive information that cannot be extracted by string matching-based techniques. In addition, the paper leverages string matching to get a more reliable technique for analyzing and extracting what we called “application/protocol fingerprints”. The proposed techniques and their implementation target the machines running under the Windows XP (SP1, SP2) operating system.     

A visual approach to interpreting NAND flash memory

The research described in this paper proposes methods for visually interpreting the content of raw NAND flash memory images into higher level visual artefacts of assistance in reverse engineering and interpreting flash storage formats. A novel method of reverse engineering the structure and layout of individual memory locations within NAND flash images, based on injecting a known signal into a test NAND environment is also proposed. Omissions in the current theory of operation of flash, in particular the role of flash memory controllers in transforming the raw NAND are identified, clarifying the cause of variations seen between images taken using pseudo physical and raw physical techniques. The effectiveness of the approach is validated against raw NAND images from YAFFS2 based Android phones, taken via JTAG and chip-off methods.     

A Memorial for jeremy bentham: memory,fiction, and writing the law

At a moment when the European Union and globalisation are, in their different contexts, bringing systems of traditional law (like the Common Law), whose texts are presented as monuments to historical legal cultures, into confrontation with systems of written law which claim to be rational embodiments of universal principles of liberal justice, how might we remember Jeremy Bentham, the pioneer of the critique of the former in the name of the latter? This essay in ‘law-and-literature’ looks at the relation between memory, fiction and writing in both the Common Law and in the two last projects for which the radical legal positivist sought to be remembered: the Constitutional Code for the Use of All Nations and All Governments Professing Liberal Opinions (1830) and Auto-Icon: Or, Farther Uses of the Dead to the Living (published posthumously in 1842). By examining Bentham’s linguistic theory and practice, the article raises questions about the relations between the ‘law’ of writing and the writing of law.     

A comparison of memory for homicide, non-homicidal violence, and positive life experiences

Defendants commonly claim amnesia for their criminal actions especially in cases involving extreme violence. While some claims are malingered or result from physiological factors, other cases may represent genuine partial or complete amnesia resulting from the psychological distress and/or extreme emotion associated with the perpetration of the crime. Fifty Canadian homicide offenders described their memories of their homicide, a non-homicide violent offense, and their most positive adulthood life experience. Self-reported and objective measures of memories for these events revealed that homicides were recalled with the greatest level of detail and sensory information. Although dissociative tendencies were associated with a self-reported memory loss, objective measures of memory quality did not reflect this perceived impairment, suggesting a failure of meta-memory. Recollections of positive life events were superior to those of non-homicidal violence, possibly due to greater impact and meaning attached to such experiences. Findings suggest that memory for homicide typically is enhanced by the powerful emotion associated with its perpetration.     

A survey of main memory acquisition and analysis techniques for the windows operating system

Traditional, persistent data-oriented approaches in computer forensics face some limitations regarding a number of technological developments, e.g., rapidly increasing storage capabilities of hard drives, memory-resident malicious software applications, or the growing use of encryption routines, that make an in-time investigation more and more difficult. In order to cope with these issues, security professionals have started to examine alternative data sources and emphasize the value of volatile system information in RAM more recently. In this paper, we give an overview of the prevailing techniques and methods to collect and analyze a computer's memory. We describe the characteristics, benefits, and drawbacks of the individual solutions and outline opportunities for future research in this evolving field of IT security.     

Whole-face procedures for recovering facial images from memory

Research has indicated that traditional methods for accessing facial memories usually yield unidentifiable images. Recent research, however, has made important improvements in this area to the witness interview, method used for constructing the face and recognition of finished composites. Here, we investigated whether three of these improvements would produce even-more recognisable images when used in conjunction with each other. The techniques are holistic in nature: they involve processes which operate on an entire face. Forty participants first inspected an unfamiliar target face. Nominally 24 h later, they were interviewed using a standard type of cognitive interview (CI) to recall the appearance of the target, or an enhanced ‘holistic’ interview where the CI was followed by procedures for focussing on the target's character. Participants then constructed a composite using EvoFIT, a recognition-type system that requires repeatedly selecting items from face arrays, with ‘breeding’, to ‘evolve’ a composite. They either saw faces in these arrays with blurred external features, or an enhanced method where these faces were presented with masked external features. Then, further participants attempted to name the composites, first by looking at the face front-on, the normal method, and then for a second time by looking at the face side-on, which research demonstrates facilitates recognition. All techniques improved correct naming on their own, but together promoted highly-recognisable composites with mean naming at 74% correct. The implication is that these techniques, if used together by practitioners, should substantially increase the detection of suspects using this forensic method of person identification.     

An evaluation platform for forensic memory acquisition software

Memory forensics has gradually moved into the focus of researchers and practitioners alike in recent years. With an increasing effort to extract valuable information from a snapshot of a computer's RAM, the necessity to properly assess the respective solutions rises as well. In this paper, we present an evaluation platform for forensic memory acquisition software. The platform is capable of measuring distinct factors that determine the quality of a generated memory image, specifically its correctness, atomicity, and integrity. Tests are performed for three popular open source applications, win32dd, WinPMEM, and mdd, as well as for different memory sizes.     

An improved method for restoring the initial appearance of injuries on the skin

Presents a modified method for restoring the shape and size of wounds on skin preparations. The advantages of the modification over the routine A. N. Ratnevski?'s method are enumerated.     

Capacity for physical action in traumatically-induced epidural hemorrhage

Authors report the case of a 55-year-old man with a nearly normal capacity to act for appr. 48 hours following epidural hematoma due to a blunt trauma of the head with skull fracture. The man was amnestic for the period of time since the trauma. According to the computertomographic findings, the cause for the mild clinical symptoms was a pre-existent atrophy of the brain.     

Some conditions maximizing eyewitness accuracy: A learning/memory analogy

Jurors continue to rely heavily on eyewitness testimony despite numerous demonstrations that it is often inaccurate. As part of the effort to provide jurors with good estimates of the accuracy of any specific testimony, a study was designed to test the proposal that eyewitness accuracy is governed by the same variables and in the same way as is retention of much simpler material in classical learning and memory paradigms. Prior exposure to the criminal (trials), arousal value of the incident (drive), and delay between prior exposure and incident, and between incident and test (inner-trial intervals) all affected eyewitness accuracy in the expected manner. Correct recognitions of the criminal in a line-up ranged from 14 percent to 86 percent, depending on the particular conditions under which the incident was observed.     

A consideration of telescoping and memory decay biases in victimization surveys

The relationship between memory biases and characteristics of incidents and respondents in victimization surveys were studied using National Crime Survey victimization data. Comparisons between the monthly distribution of victimizations appearing in police offense reports and the monthly distribution of victimizations reported to survey interviewers revealed evidence of substantial memory effects in victimization survey results. However, no substantial biases were found in the victimization data according to the seriosness of the event, whether or not the event was reported to the police, or respondent characteristics. That is, regardless of the characteristics of the event or characteristic of the respondent studied, the temporal distribution of victimizations reported to survey interviewers was similar. These results suggested that, whereas memory effects of the kind studied here are in evidence in reports of victimization experiences, there is no evidence that these effects are substantially related to respondent and incident characteristics, and, hence, they are much less problematic for the use of victimization survey results than would otherwise be the case.     

Patterns of physical and sexual abuse for men and women in dating relationships: A descriptive analysis

A random sample of students at a large Midwestern University was selected in order to examine whether and how physical and sexual abuse were related to each other for men and women, whether abuse in one relationship was independent of abuse in other relationships, and how victims responded to abusive incidents. The results revealed several important patterns. When comparing the frequency of physical and sexual abuse for men and women, it was found that sexual abuse was more common than physical abuse, but only for women. Additionally, women experienced more sexual abuse than men. While men and women did not experience physical abuse in other relationships at more than chance levels, women who sustained sexual abuse in one relationship were more likely to sustain sexual abuse in other relationships. Furthermore, while sustaining physical and sexual abuse were not associated with one another for men, there was a weak association for women. Finally, victims of abuse were more likely to tell their friends they had been abused than report it to criminal justice authorities.Paper presented at the 1987 American Society of Criminology Meetings.     

Females' reasons for their physical aggression in dating relationships

Approximately 32% of dating college females reported that they engaged in physical aggression against their partners and that they engaged in acts of physical aggression more often than their male partners engaged in aggression against them. However, the females also reported that their male partners attempted to force them to engage in oral sex more often than the females engaged in such coercive behavior. Based on both open-ended and closed responses, the primary reasons given for engaging in physical aggression were anger at the partner and poor communication. Females who reported physical aggression in their relationships were less satisfied with their relationships, and both psychological and physical aggression were negatively correlated with positive feelings about the partners.     

Psychical and physical symptoms after torture. A prospective controlled study

This is the first controlled study of torture victims published. Ten persons who alleged subjection to torture were examined by two different medical teams during the first months after torture. The testimonies of the probands were found to be credible and the method of examination was found to be reliable. The state of health of the probands was inferior to that of the control persons (P less than 0.01) which reflects the effect of torture on health. The most frequent symptoms were psychological: depression, anxiety, emotional lability, reduced ability for contact, disturbed sleep, nightmares, impaired concentration and memory.     

Methods for physical stabilization of ashed teeth in incinerated remains

Methods for physically stabilizing the extremely fragile ashed teeth that are often encountered in incinerated human remains were investigated. Results of a questionnaire sent to forensic anthropologists and forensic odontologists disclosed that, for these two groups, the most popular methods currently used are impregnation with a solution of polyvinyl acetate or application of cyanoacrylate cement, respectively. In addition, extracted human teeth were incinerated in the laboratory and impregnated with commercially available preparations of either cyanoacrylate cement, clear acrylic spray paint, hair spray, spray furniture varnish, clear fingernail polish, quick-setting epoxy cement, Duco household cement, polyvinyl acetate polymer in acetone, or self-curing clear dental acrylic resin. Every substance tested successfully stabilized the incinerated teeth. Clear acrylic spray paint was judged the most efficacious overall because of its ease of application, availability, inexpensiveness, and rapidity of setting.     

毛发常见机械性损伤形态的环境扫描电镜研究

目的建立环境扫描电镜(ESEM)法推断毛发致伤物种类的新方法。方法应用ESEM观察分析不同锐器、钝器及致伤方式形成的毛发机械性损伤的微观形态特征。结果毛发锐器、钝器损伤的表面微观特征存在显著差异,同种类型致伤工具,其锋利程度、作用方式不同时,其损伤特征也明显不同。结论ESEM法能够真实、自然反映毛发机械性损伤表面微观特征,可应用于推断毛发致伤物种类。