Extraction of forensic evidences from windows volatile memory

摘要

The Windows Volatile memory maintains information about the various activities on the system such as processes and its threads running, registry key open, user authentication details. This paper details out the technique to identify and extract the last access time of a registry key based on the key control block of the key objects in use by the running process. The paper also details out the technique to locate and extract the value of a registry key in use by the running process. A framework to reconstruct the user activities based on the registry key accessed by the running process is proposed. The methods discussed in this paper have been verified on the 32-bit Windows 7 and Windows 8 volatile memory dump.