共查询到20条相似文献,搜索用时 15 毫秒
1.
Forensic analysis of physical memory is gaining good attention from experts in the community especially after recent development of valuable tools and techniques. Investigators find it very helpful to seize physical memory contents and perform post-incident analysis of this potential evidence. Most of the research carried out focus on enumerating processes and threads by accessing memory resident objects. To collect case-sensitive information from the extracted memory content, the existing techniques usually rely on string matching. The most important contribution of the paper is a new technique for extracting sensitive information from physical memory. The technique is based on analyzing the call stack and the security sensitive APIs. It allows extracting sensitive information that cannot be extracted by string matching-based techniques. In addition, the paper leverages string matching to get a more reliable technique for analyzing and extracting what we called “application/protocol fingerprints”. The proposed techniques and their implementation target the machines running under the Windows XP (SP1, SP2) operating system. 相似文献
2.
This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory. 相似文献
3.
This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory. 相似文献
4.
《Digital Investigation》2007,4(1):24-29
All Windows memory analysis techniques depend on the examiner's ability to translate the virtual addresses used by programs and operating system components into the true locations of data in a memory image. In some memory images up to 20% of all the virtual addresses in use point to so called “invalid” pages that cannot be found using a naive method for address translation. This paper explains virtual address translation, enumerates the different states of invalid memory pages, and presents a more robust strategy for address translation. This new method incorporates invalid pages and even the paging file to greatly increase the completeness of the analysis. By using every available page, every part of the buffalo as it were, the examiner can better recreate the state of the machine as it existed at the time of imaging. 相似文献
5.
《Digital Investigation》2007,4(2):68-72
In this paper we present the results of experiments we conducted on Suse Linux and Windows XP systems to determine the age of user process data in physical memory. To be able to measure the age of pages we used an artificial load program which time-stamps data segment and block device cache pages. Our goal was to compare the behaviour of both systems and to determine whether the rate of decay for user data depends on the demand for physical memory. Our findings show that Windows and Linux systems preserve almost the same number of pages with user data, and the age distribution of these pages does not change significantly with the level of demand. 相似文献
6.
An image of a computer's physical memory can provide a forensic examiner with a wealth of information. A small area of system memory, the nonpaged pool, contains lots of information about currently and formerly active processes. As this paper shows, more than 90% of such information can be retrieved even 24 h after process termination under optimum conditions.Great care must be taken as the acquisition process usually affects the memory contents to be acquired. In order minimize the impact on volatile data, this paper for the first time analyzes the pool allocation mechanism of the Microsoft Windows operating system. It describes a test arrangement, which allows to obtain a time series of physical memory images, while it also reduces the effect on the observed operating system.Using this environment it was found that allocations from the nonpaged pool are reused based on their size and a last in-first out schedule. In addition, a passive memory compaction strategy may apply. So, the creation of a new object is likely to eradicate the evidence of an object of the same class that was destructed just before. The paper concludes with a discussion of the implications for incident response procedures, forensic examinations, and the creation of forensic tools. 相似文献
7.
An image of a computer's physical memory can provide a forensic examiner with a wealth of information. A small area of system memory, the nonpaged pool, contains lots of information about currently and formerly active processes. As this paper shows, more than 90% of such information can be retrieved even 24 h after process termination under optimum conditions.Great care must be taken as the acquisition process usually affects the memory contents to be acquired. In order minimize the impact on volatile data, this paper for the first time analyzes the pool allocation mechanism of the Microsoft Windows operating system. It describes a test arrangement, which allows to obtain a time series of physical memory images, while it also reduces the effect on the observed operating system.Using this environment it was found that allocations from the nonpaged pool are reused based on their size and a last in-first out schedule. In addition, a passive memory compaction strategy may apply. So, the creation of a new object is likely to eradicate the evidence of an object of the same class that was destructed just before. The paper concludes with a discussion of the implications for incident response procedures, forensic examinations, and the creation of forensic tools. 相似文献
8.
9.
Ewout H. Meijer Ph.D. Fren T.Y. Smulders Ph.D. Harald L.G.J. Merckelbach Ph.D. 《Journal of forensic sciences》2010,55(6):1607-1609
Abstract: Lie detection procedures are typically aimed at determining guilt or innocence of a single suspect. Serious security threats, however, often involve groups, such as terrorist networks or criminal organizations. In this report, we describe a variant of the skin conductance‐based Concealed Information Test (CIT) that allows for the extraction of critical information from such groups. Twelve participants were given information about an upcoming (mock) terrorist attack, with specific instructions not to reveal this information to anyone. Next, each subject was subjected to a CIT, with questions pertaining to the details of the attack. Results showed that for every question, the average skin conductance response to the correct answer option differed significantly (p < 0.05) from those to all other options. These results show that the information about the upcoming attack could be extracted from the group of terror suspects as a whole. 相似文献
10.
The Windows registry serves as a primary storage location for system configurations and as such provides a wealth of information to investigators. Numerous researchers have worked to interpret the information stored in the registry from a digital forensic standpoint, but no definitive resource is yet available which describes how Windows deletes registry data structures under NT-based systems. This paper explores this topic and provides an algorithm for recovering deleted keys, values, and other structures in the context of the registry as a whole. 相似文献
11.
The Windows registry serves as a primary storage location for system configurations and as such provides a wealth of information to investigators. Numerous researchers have worked to interpret the information stored in the registry from a digital forensic standpoint, but no definitive resource is yet available which describes how Windows deletes registry data structures under NT-based systems. This paper explores this topic and provides an algorithm for recovering deleted keys, values, and other structures in the context of the registry as a whole. 相似文献
13.
14.
15.
16.
Charlie D. Frowd Faye Skelton Gemma Hepton Laura Holden Simra Minahil Melanie Pitchford Alex McIntyre Charity Brown Peter J.B. Hancock 《Science & justice》2013,53(2):89-97
Research has indicated that traditional methods for accessing facial memories usually yield unidentifiable images. Recent research, however, has made important improvements in this area to the witness interview, method used for constructing the face and recognition of finished composites. Here, we investigated whether three of these improvements would produce even-more recognisable images when used in conjunction with each other. The techniques are holistic in nature: they involve processes which operate on an entire face. Forty participants first inspected an unfamiliar target face. Nominally 24 h later, they were interviewed using a standard type of cognitive interview (CI) to recall the appearance of the target, or an enhanced ‘holistic’ interview where the CI was followed by procedures for focussing on the target's character. Participants then constructed a composite using EvoFIT, a recognition-type system that requires repeatedly selecting items from face arrays, with ‘breeding’, to ‘evolve’ a composite. They either saw faces in these arrays with blurred external features, or an enhanced method where these faces were presented with masked external features. Then, further participants attempted to name the composites, first by looking at the face front-on, the normal method, and then for a second time by looking at the face side-on, which research demonstrates facilitates recognition. All techniques improved correct naming on their own, but together promoted highly-recognisable composites with mean naming at 74% correct. The implication is that these techniques, if used together by practitioners, should substantially increase the detection of suspects using this forensic method of person identification. 相似文献
17.
Minli Zhang B.S. Qingzhen Zhang B.S. Qiong Wang B.S. Xiaoran Ding Ph.D. Liting Shao B.S. Zhe Zhou Ph.D. Shengqi Wang Ph.D. 《Journal of forensic sciences》2018,63(3):824-828
DNA is often difficult to extract from old bones and teeth due to low levels of DNA and high levels of degradation. This study established a simple yet efficient method for extracting DNA from 20 aged bones and teeth (approximately 60 years old). Based on the concentration and STR typing results, the new method of DNA extraction (OM) developed in this study was compared with the PrepFiler? BTA Forensic DNA Extraction Kit (BM). The total amount of DNA extracted using the OM method was not significantly different from that extracted using the commercial kit (p > 0.05). However, the number of STR loci detected was significantly higher in the samples processed using the OM method than using the BM method (p < 0.05). This study aimed to establish a DNA extraction method for aged bones and teeth to improve the detection rate of STR typing and reduce costs compared to the BM technique. 相似文献
18.
全血中DNA6种提取方法的比较 总被引:1,自引:0,他引:1
目的 比较经典有机法、改良有机法、常规Chelex-100法、IQ法、Qiagen法及SP法6种方法在提取DNA纯度和得率上的差异.方法 收集10名健康志愿者的静脉全血各5mL,分别采用6种方法提取基因组DNA,通过紫外分光光度仪和荧光定量分析技术检测产物的纯度和浓度,计算得率,并使用统计软件对结果进行分析.结果 常规Chelex-100法所得DNA的纯度明显低于其他方法,而另外5种方法所得DNA纯度的差异不具有统计学意义.改良有机法得率最低,IQ法得率最高.统计结果表明试剂盒方法抽提全血DNA的得率明显高于经典有机法、常规Chelex-100法和改良有机法,其差异具有统计学意义.结论 与有机法和常规Chelex-100法相比,高质量试剂盒类方法更有利于法医学检材的DNA抽提. 相似文献
19.
将聚丙烯酸胺凝胶中DNA片段于PCR缓冲液中电洗脱,加入PCR反应试剂,直接扩增目的DNA作进一步分析,DNA片段回收效率为0.89±0.05,本方法简便、快速。 相似文献