Forensically Robust Memory Image Acquisition Protocol Based on Windows Memory Analysis.

摘要

Collecting a forensically sound memory image from a 'live' system increases the effectiveness of the forensic investigation by providing analysts with enhanced data and context to extend the knowledge obtained from long term storage devices. * More, and better, data will most likely deliver better and more robust conclusions. * Enhanced understanding leads to better policy development and application. Why is it important. * Capability to inspect disks protected by whole disk encryption. * Recover passwords for files, folders, etc. without incurring in 'brute-force' methods. * Obtain 'up-to-date' data on actives processes. * Provide analysts with the capability to extract more information from the system by providing context to the 'swap' disk area. * Obtain active (and 'closing') network connections.