Automated Windows Memoryfile Extraction For Cyber forensics Investigation

摘要

In digital forensics, the first step to conducting an investigation is to acquire evidence that is most related to the case. Containing most recently accessed data and information about the status of a system, physical memory is a valuable source of digital evidence. When a process runs or accesses a file, all or some parts of the process's executable or accessed data file are mapped into the physical memory. In this article, we propose various methods to find files and extract them from memory in order to rebuild executable and data files that existed in physical memory at the time of incident. We developed a memory analysis plug-in that uses this automated memory file extraction. Using this tool, we have been able to extract a wide range of data file types, including text, PDF, Java Archives (JAR), various logs, EVT (system event-log files, used by the system event viewer), HTML and many more. Investigators can use the result of this research in order to (1) compare the files found on disk with those extracted from memory to find possible tampering or (2) reconstruct those files that no longer exist on the disk. In addition, they can find the last file modifications that have not been mapped out to the corresponding files on the disk. Memory extracted files can be used for the purpose of correlation analysis along with other sources of evidence such as application or network log files, E-mail files, and data files found on disks.