排序方式: 共有24条查询结果,搜索用时 15 毫秒
1.
Anti-forensic technology can play an effective role in protecting information, but it can make forensic investigations difficult. Specifically, file-wiping permanently erases evidence, making it challenging for investigators to determine whether a file ever existed and prolonging the investigation process. To address this issue, forensic researchers have studied anti-forensic techniques that detect file-wiping activities. Many previous studies have focused on the effects of file-wiping tools on $MFT, $LogFile, and $DATA, rather than on Windows artifacts. Additionally, previous studies that have examined Windows artifacts have considered different artifacts, making it difficult to study them in a comprehensive manner. To address this, we focused on analyzing traces in 13 Windows artifacts of 10 file-wiping tools' operations in the Windows operating system comprehensively. For our experiments, we installed each file-wiping tool on separate virtual machines and checked the traces that the tools left behind in each artifact. We then organized the results in a database format. Our analysis revealed that most of the tools left traces on other artifacts, except for JumpList, Open&SavePidlMRU, and lnk. There were also some cases where traces remained on the other three artifacts. Based on our research, forensic investigators can quickly identify whether a file-wiping tool has been used, and it can assist in decision-making for evidence collection and forensic triage. 相似文献
2.
We present a novel approach for the construction and application of cryptographic hashes to user space memory for the purposes of verifying the provenance of code in memory images. Several key aspects of Windows behaviour which influence this process are examined in-depth. Our approach is implemented and evaluated on a selection of malware samples with user space components as well as a collection of common Windows applications. The results demonstrate that our approach is highly effective at reducing the amount of memory requiring manual analysis, highlighting the presence of malicious code in all the malware sampled. 相似文献
3.
Memory analysis has been successfully utilized to detect malware in many high profile cases. The use of signature scanning to detect malicious tools is becoming an effective triaging and first response technique. In particular, the Yara library and scanner has emerged as the defacto standard in malware signature scanning for files, and there are many open source repositories of yara rules. Previous attempts to incorporate yara scanning in memory analysis yielded mixed results. This paper examines the differences between applying Yara signatures on files and in memory and how yara signatures can be developed to effectively search for malware in memory. For the first time we document a technique to identify the process owner of a physical page using the Windows PFN database. We use this to develop a context aware Yara scanning engine which can scan all processes simultaneously using a single pass over the physical image. 相似文献
4.
Niken Dwi Wahyu Cahyani Ph.D Kim‐Kwang Raymond Choo Ph.D. Nurul Hidayah Ab Rahman Ph.D. Helen Ashman Ph.D. 《Journal of forensic sciences》2019,64(1):243-253
Advances in technologies including development of smartphone features have contributed to the growth of mobile applications, including dating apps. However, online dating services can be misused. To support law enforcement investigations, a forensic taxonomy that provides a systematic classification of forensic artifacts from Windows Phone 8 (WP8) dating apps is presented in this study. The taxonomy has three categories, namely: Apps Categories, Artifacts Categories, and Data Partition Categories. This taxonomy is built based on the findings from a case study of 28 mobile dating apps, using mobile forensic tools. The dating app taxonomy can be used to inform future studies of dating and related apps, such as those from Android and iOS platforms. 相似文献
5.
Small scale digital device forensics is particularly critical as a result of the mobility of these devices, leading to closer proximity to crimes as they occur when compared to computers. The Windows Surface tablet is one such device, combining tablet mobility with familiar Microsoft Windows productivity tools. This research considers the acquisition and forensic analysis of the Windows Surface RT tablet. We discuss the artifacts of both the Windows RT operating system and third-party applications. The contribution of this research is to provide a road map for the digital forensic examination of Windows Surface RT tablets. 相似文献
6.
上海市公安局静安分局自开展“窗口”诚信服务以来,群众满意率明显提高。为了进一步推进“窗口”诚信服务建设,有力地推进公安工作和队伍整体建设,在进一步认清当前公安“窗口”诚信服务建设存在的主要问题及原因的同时,应在强化理念、建立机制、探索管理模式、提高服务水平等方面找准公安“窗口”诚信服务建设的基本途径。 相似文献
7.
Niken Dwi Wahyu Cahyani M.S. Ben Martini Ph.D. Kim‐Kwang Raymond Choo Ph.D. Nurul Hidayah Ab Rahman Ph.D. Helen Ashman Ph.D. 《Journal of forensic sciences》2018,63(3):868-881
Communication apps can be an important source of evidence in a forensic investigation (e.g., in the investigation of a drug trafficking or terrorism case where the communications apps were used by the accused persons during the transactions or planning activities). This study presents the first evidence‐based forensic taxonomy of Windows Phone communication apps, using an existing two‐dimensional Android forensic taxonomy as a baseline. Specifically, 30 Windows Phone communication apps, including Instant Messaging (IM) and Voice over IP (VoIP) apps, are examined. Artifacts extracted using physical acquisition are analyzed, and seven digital evidence objects of forensic interest are identified, namely: Call Log, Chats, Contacts, Locations, Installed Applications, SMSs and User Accounts. Findings from this study would help to facilitate timely and effective forensic investigations involving Windows Phone communication apps. 相似文献
8.
9.
课题组 《四川警官高等专科学校学报》2002,14(4):42-46
Windows TT是一种当前广泛应用的计算机网络操作系统,但其层出不穷的漏洞,也为入侵者打开了方便之门,使NT机的安全受到极大的威胁;在对Windows NT系统的种种攻击和破坏行为中,如何发现、跟踪与提取电子证据,是破获这类计算机犯罪案的关键;端口监控与检测、日志检测与审核、分析有关文件目录等是获取此类电子证据的有效方法。 相似文献