Abstract

With the ubiquitous application of IT in different industries, digital forensic has become an essential element in IT security for discovering and mitigating the root causes of IT incidents. In this context, forensics memory analysis has recently gained great attention in cyber forensics community. However, most of the proposals in this area have focused on the extraction of important kernel data structures such as executive objects from the memory. This thesis discusses techniques for forensic analysis of Windows physical memory. The state of the art on digital forensic with focus on memory forensic is elaborated in this thesis. Additionally the thesis introduces new techniques for Windows memory forensics. The techniques that are elaborated in this thesis are classified into two categories; physical memory parsing, and execution history analysis. The first category introduces different in-memory structures of Windows operating system that are of forensic value during a digital investigation. The second category proposes an approach to analyze the stack memory of process threads to reveal partial execution histories of processes. The result of applying this technique enables the investigator to discover what actions performed by processes at the time of the incident. An algorithm was developed for this purpose that produces all the possible execution history paths. At the end, the introduced techniques are evaluated and empirical results are provided.