Abstract

Containing most recently accessed data and information about the status of a computer system, physical memory is one of the best sources of digital evidence. This thesis presents new methods to analyze Windows physical memory of compromised computers for cyber forensics. The thesis includes three distinct contributions to cyber forensics investigation. Firstly, by digging into details of Windows memory management, forensically important information and data structures are identified. Secondly, we proposed different methods to find files and extract them out of memory in order to rebuild executable and data files. This helps investigators obtain valuable information available in executable or data files that have been in use at incident time. Thirdly, we presented two methods for extraction of forensically sensitive information such as usernames or passwords from memory. The first method is based on fingerprints of applications in memory. In the second method, we have been able to locate and extract arguments used in function calls. This method, leads to the acquisition of important and forensically sensitive information from the memory stack. Finally, to bring these contributions to application level, a framework for cyber forensics investigations has been developed that helps finding sensitive information