A B S T R A C T
The forensics community is increasingly embracing the use of memory analysis to enhance
traditional storage-based forensics techniques, because memory analysis yields a wealth of
information not available on non-volatile storage. Memory analysis involves capture of a
system’s physical memory so that the live state of a system can be investigated, including
executing and terminated processes, application data, network connections, and more.
One aspect of memory analysis that remains elusive is investigation of the system’s swap
file, which is a backing store for the operating system’s virtual memory system. Swap files
are a potentially interesting source of forensic evidence, but traditionally, most swap file
analysis has consisted of string searches and scans for small binary structures, which may
in some cases be revelatory, but are also fraught with provenance issues. Unfortunately,
more sophisticated swap file analysis is complicated by the difficulty of capturing mutually
consistent memory dumps and swap files, the increasing use of swap file encryption, and
other issues. Fortunately, compressed RAM facilities, such as those in Mac OS X Mavericks
and recent versions of the Linux kernel, attempt to reduce or eliminate swapping to disk
through compression. The storage of compressed pages in RAM both increases performance
and offers an opportunity to gather digital evidence which in the past would have
been swapped out. This paper discusses the difficulty of analyzing swap files in more
detail, the compressed RAM facilities in Mac OS X and Linux, and our new tools for analysis
of compressed RAM. These tools are integrated into the open-source Volatility framework.
© 2014 Digital Forensics ResearchWorkshop. Published by Elsevier Ltd. All rights reserved.
[aio_button align=”none” animation=”none” color=”red” size=”small” icon=”none” text=”انجام مقاله علمی پژوهشی و ISI در این زمینه” target=”_blank” relationship=”dofollow” url=”http://payannameha.ir/?p=796″]
[aio_button align=”none” animation=”none” color=”orange” size=”small” icon=”none” text=”دریافت سایر مقالات در این زمینه” target=”_blank” relationship=”dofollow” url=”http://payannameha.ir/?page_id=297″]
[aio_button align=”none” animation=”none” color=”blue” size=”small” icon=”none” text=”انجام پایان نامه در این حوزه” relationship=”dofollow” url=”http://payannameha.ir/?page_id=3206″]
[aio_button align=”none” animation=”none” color=”pink” size=”small” icon=”none” text=”انجام پروپوزال در این حوزه” target=”_blank” relationship=”dofollow” url=”http://payannameha.ir/?page_id=3206″]
[aio_button align=”none” animation=”none” color=”green” size=”small” icon=”none” text=”ترجمه تخصصی این مقاله” target=”_blank” relationship=”dofollow” url=”http://payannameha.ir/?p=154″]
جهت خرید فایل به انتهای صفحه مراجعه نمایید
کد محصول : شماره 90
[aio_button align=”none” animation=”none” color=”green” size=”small” icon=”none” text=”پرداخت کارت به کارت” target=”_blank” relationship=”dofollow” url=”http://jozvekade.ir/?page_id=1139″]