Login | Register

Analysis of Windows memory for forensic investigations


Analysis of Windows memory for forensic investigations

Hejazi, Seyed Mahmood (2009) Analysis of Windows memory for forensic investigations. Masters thesis, Concordia University.

[thumbnail of MR63196.pdf]
Text (application/pdf)
MR63196.pdf - Accepted Version


Containing most recently accessed data and information about the status of a computer system, physical memory is one of the best sources of digital evidence. This thesis presents new methods to analyze Windows physical memory of compromised computers for cyber forensics. The thesis includes three distinct contributions to cyber forensics investigation. Firstly, by digging into details of Windows memory management, forensically important information and data structures are identified. Secondly, we proposed different methods to find files and extract them out of memory in order to rebuild executable and data files. This helps investigators obtain valuable information available in executable or data files that have been in use at incident time. Thirdly, we presented two methods for extraction of forensically sensitive information such as usernames or passwords from memory. The first method is based on fingerprints of applications in memory. In the second method, we have been able to locate and extract arguments used in function calls. This method, leads to the acquisition of important and forensically sensitive information from the memory stack. Finally, to bring these contributions to application level, a framework for cyber forensics investigations has been developed that helps finding sensitive information

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:Hejazi, Seyed Mahmood
Pagination:ix, 115 leaves : ill. ; 29 cm.
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Institute for Information Systems Engineering
Thesis Supervisor(s):Debbabi, Mourad
Identification Number:LE 3 C66Q35M 2009 H44
ID Code:976393
Deposited By: Concordia University Library
Deposited On:22 Jan 2013 16:24
Last Modified:13 Jul 2020 20:10
Related URLs:
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top