Extraction of forensically sensitive information from windows physical memory

Forensic analysis of physical memory is gaining good attention from experts in the community especially after recent development of valuable tools and techniques. Investigators find it very helpful to seize physical memory contents and perform post-incident analysis of this potential evidence. Most of the research carried out focus on enumerating processes and threads by accessing memory resident objects. To collect case-sensitive information from the extracted memory content, the existing techniques usually rely on string matching. The most important contribution of the paper is a new technique for extracting sensitive information from physical memory. The technique is based on analyzing the call stack and the security sensitive APIs. It allows extracting sensitive information that cannot be extracted by string matching-based techniques. In addition, the paper leverages string matching to get a more reliable technique for analyzing and extracting what we called “application/protocol fingerprints”. The proposed techniques and their implementation target the machines running under the Windows XP (SP1, SP2) operating system.     

Forensic analysis of the Windows registry in memory

This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.     

Forensic analysis of the Windows registry in memory

This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.     

User data persistence in physical memory

In this paper we present the results of experiments we conducted on Suse Linux and Windows XP systems to determine the age of user process data in physical memory. To be able to measure the age of pages we used an artificial load program which time-stamps data segment and block device cache pages. Our goal was to compare the behaviour of both systems and to determine whether the rate of decay for user data depends on the demand for physical memory. Our findings show that Windows and Linux systems preserve almost the same number of pages with user data, and the age distribution of these pages does not change significantly with the level of demand.     

The impact of Microsoft Windows pool allocation strategies on memory forensics

An image of a computer's physical memory can provide a forensic examiner with a wealth of information. A small area of system memory, the nonpaged pool, contains lots of information about currently and formerly active processes. As this paper shows, more than 90% of such information can be retrieved even 24 h after process termination under optimum conditions.Great care must be taken as the acquisition process usually affects the memory contents to be acquired. In order minimize the impact on volatile data, this paper for the first time analyzes the pool allocation mechanism of the Microsoft Windows operating system. It describes a test arrangement, which allows to obtain a time series of physical memory images, while it also reduces the effect on the observed operating system.Using this environment it was found that allocations from the nonpaged pool are reused based on their size and a last in-first out schedule. In addition, a passive memory compaction strategy may apply. So, the creation of a new object is likely to eradicate the evidence of an object of the same class that was destructed just before. The paper concludes with a discussion of the implications for incident response procedures, forensic examinations, and the creation of forensic tools.     

The impact of Microsoft Windows pool allocation strategies on memory forensics

An image of a computer's physical memory can provide a forensic examiner with a wealth of information. A small area of system memory, the nonpaged pool, contains lots of information about currently and formerly active processes. As this paper shows, more than 90% of such information can be retrieved even 24 h after process termination under optimum conditions.Great care must be taken as the acquisition process usually affects the memory contents to be acquired. In order minimize the impact on volatile data, this paper for the first time analyzes the pool allocation mechanism of the Microsoft Windows operating system. It describes a test arrangement, which allows to obtain a time series of physical memory images, while it also reduces the effect on the observed operating system.Using this environment it was found that allocations from the nonpaged pool are reused based on their size and a last in-first out schedule. In addition, a passive memory compaction strategy may apply. So, the creation of a new object is likely to eradicate the evidence of an object of the same class that was destructed just before. The paper concludes with a discussion of the implications for incident response procedures, forensic examinations, and the creation of forensic tools.     

Extracting Concealed Information from Groups*

Abstract: Lie detection procedures are typically aimed at determining guilt or innocence of a single suspect. Serious security threats, however, often involve groups, such as terrorist networks or criminal organizations. In this report, we describe a variant of the skin conductance‐based Concealed Information Test (CIT) that allows for the extraction of critical information from such groups. Twelve participants were given information about an upcoming (mock) terrorist attack, with specific instructions not to reveal this information to anyone. Next, each subject was subjected to a CIT, with questions pertaining to the details of the attack. Results showed that for every question, the average skin conductance response to the correct answer option differed significantly (p < 0.05) from those to all other options. These results show that the information about the upcoming attack could be extracted from the group of terror suspects as a whole.     

Recovering deleted data from the Windows registry

The Windows registry serves as a primary storage location for system configurations and as such provides a wealth of information to investigators. Numerous researchers have worked to interpret the information stored in the registry from a digital forensic standpoint, but no definitive resource is yet available which describes how Windows deletes registry data structures under NT-based systems. This paper explores this topic and provides an algorithm for recovering deleted keys, values, and other structures in the context of the registry as a whole.     

Recovering deleted data from the Windows registry

The Windows registry serves as a primary storage location for system configurations and as such provides a wealth of information to investigators. Numerous researchers have worked to interpret the information stored in the registry from a digital forensic standpoint, but no definitive resource is yet available which describes how Windows deletes registry data structures under NT-based systems. This paper explores this topic and provides an algorithm for recovering deleted keys, values, and other structures in the context of the registry as a whole.     

3种方法联合运用提取人体脱落上皮细胞DNA

目的寻求提高法医物证检验中附有人体脱落细胞载体检材的DNA检出率的方法。方法根据案件检材的具体条件．选择3种提取方法即Chelex-100法、Chelex-100联合有机法和Chelex-100联合磁珠法。结果采用了分步提取DNA法,可充分、有效地提取微量DNA,提高了人体脱落上皮细胞有效DNA的检出率。结论根据第一步提取方法的检测结果,来调整下一步的提取策略,如是否加以纯化浓缩,可增加人体脱落上皮细胞有效DNA的检出率。     

Whole-face procedures for recovering facial images from memory

Research has indicated that traditional methods for accessing facial memories usually yield unidentifiable images. Recent research, however, has made important improvements in this area to the witness interview, method used for constructing the face and recognition of finished composites. Here, we investigated whether three of these improvements would produce even-more recognisable images when used in conjunction with each other. The techniques are holistic in nature: they involve processes which operate on an entire face. Forty participants first inspected an unfamiliar target face. Nominally 24 h later, they were interviewed using a standard type of cognitive interview (CI) to recall the appearance of the target, or an enhanced ‘holistic’ interview where the CI was followed by procedures for focussing on the target's character. Participants then constructed a composite using EvoFIT, a recognition-type system that requires repeatedly selecting items from face arrays, with ‘breeding’, to ‘evolve’ a composite. They either saw faces in these arrays with blurred external features, or an enhanced method where these faces were presented with masked external features. Then, further participants attempted to name the composites, first by looking at the face front-on, the normal method, and then for a second time by looking at the face side-on, which research demonstrates facilitates recognition. All techniques improved correct naming on their own, but together promoted highly-recognisable composites with mean naming at 74% correct. The implication is that these techniques, if used together by practitioners, should substantially increase the detection of suspects using this forensic method of person identification.     

全血中DNA6种提取方法的比较

目的 比较经典有机法、改良有机法、常规Chelex-100法、IQ法、Qiagen法及SP法6种方法在提取DNA纯度和得率上的差异.方法 收集10名健康志愿者的静脉全血各5mL,分别采用6种方法提取基因组DNA,通过紫外分光光度仪和荧光定量分析技术检测产物的纯度和浓度,计算得率,并使用统计软件对结果进行分析.结果 常规Chelex-100法所得DNA的纯度明显低于其他方法,而另外5种方法所得DNA纯度的差异不具有统计学意义.改良有机法得率最低,IQ法得率最高.统计结果表明试剂盒方法抽提全血DNA的得率明显高于经典有机法、常规Chelex-100法和改良有机法,其差异具有统计学意义.结论 与有机法和常规Chelex-100法相比,高质量试剂盒类方法更有利于法医学检材的DNA抽提.     

从聚丙烯酰胺凝胶中回收DNA片段直接PCR的简易方法

将聚丙烯酸胺凝胶中ＤＮＡ片段于ＰＣＲ缓冲液中电洗脱，加入ＰＣＲ反应试剂，直接扩增目的ＤＮＡ作进一步分析，ＤＮＡ片段回收效率为０．８９±０．０５，本方法简便、快速。     

Single source DNA profile recovery from single cells isolated from skin and fabric from touch DNA mixtures in mock physical assaults

The ability to obtain DNA profiles from trace biological evidence is routinely demonstrated with so-called ‘touch DNA evidence’, which is generally perceived to be the result of DNA obtained from shed skin cells transferred from a donor's hands to an object or person during direct physical contact. Current methods for the recovery of trace DNA employ swabs or adhesive tape to sample an area of interest. While of practical utility, such ‘blind-swabbing’ approaches will necessarily co-sample cellular material from the different individuals whose cells are present on the item, even though the individuals' cells are principally located in topographically dispersed, but distinct, locations on the item. Thus the act of swabbing itself artifactually creates some of the DNA mixtures encountered in touch DNA samples. In some instances involving transient contact between an assailant and victim, the victim's DNA may be found in such significant excess as to preclude the detection and typing of the perpetrator's DNA. In order to circumvent the challenges with standard recovery and analysis methods for touch DNA evidence, we reported previously the development of a ‘smart analysis’ single cell recovery and DNA analysis method that results in enhanced genetic analysis of touch DNA evidence. Here we use the smart single cell analysis method to recover probative single source profiles from individual and agglomerated cells from various touched objects and clothing items belonging to known donors. We then use the same approach for the detection of single source male donor DNA in simulated physical contact/assault mixture samples (i.e. male ‘assailant’ grabbing the wrist, neck or clothing from the female ‘victim’, or being in transient contact with bedding from the ‘victim’). DNA profiles attributable to the male or female known donors were obtained from 31% and 35% of the single and agglomerated bio-particles (putative cells) tested. The known male donor ‘assailant’ DNA profile was identified in the cell sampling from every mixture type tested. The results of this work demonstrate the efficacy of an alternative strategy to recover single source perpetrator DNA profiles in physical contact/assault cases involving trace perpetrator/victim cellular admixtures.     

Primer composition and memory effect of weapons--some trends from a systematic approach in casework

Since 2008, our laboratory has adopted a systematic approach to the examination of gunshot residues (GSR) in casework by analysing, whenever possible, the inorganic composition present in ammunition (cartridge cases and unused ammunition). By compiling the results of these analyses in a database, it is possible to observe some trends during the period of interest: on the one hand, the prevalence of primers containing lead, barium and antimony is about 50%, and even as high as 70% when including lead-barium-antimony based primers also containing tin; on the other hand, the prevalence of non-toxic primers is for the time being very low. Still using the same approach, test firings were performed with recovered weapons and litigious ammunition whenever possible in order to estimate the influence of the well known "memory effect" of the weapons on the GSR analysis results. The first results show a quite strong memory effect for the .22 and the .32 caliber, unlike the .38 caliber. This is probably due to a high prevalence of lead-barium-antimony based primers for the latter caliber.