A plenty of computer evidence cannot be seized from hard disks, they must be seized from physical memory of the computer system, once the computer system is powered off, they will all be disappeared. In this paper, the basic concepts and related works of physical memory forensic analysis are presented, and the key technology of physical memory forensic analysis of Windows systems is investigated. An example about physical memory forensic analysis of Windows system is also given. Finally based on the analysis of the deficiency for the current work on physical memory forensic analysis, future work on the improvement of physical memory forensic analysis is discussed.
展开▼
