Offline Forensic Analysis Of Microsoft Windows XP Physical Memory

摘要

The rise of cyber crimes combined with the recent use of computer viruses and malicious programs that reside only in volatile main memory demand further development of appropriate forensic tools. Existing forensic tools that analyze non-volatile memory are not capable of analyzing volatile memory and the few tools that are capable of detailed analysis of volatile memory are not openly available to the public. In this thesis, an open source tool is developed to analyze images of physical memory originating from the Windows XP and Windows 2003 Server operating systems. The tool, named Windows Physical Memory Offline Analyzer (WPMOA), scans the memory image and, utilizing input from the user, extracts relevant data from the various structures maintained by the Windows operating system. The WPMOA program automatically generates reports about the image and provides key information necessary for a user to perform additional manual investigation of the image beyond what is done automatically. This thesis details instructions on the preparation and use of the program, initial testing results of the program with actual physical memory images, and C language code for the program itself.