SlideShare a Scribd company logo

Study on Live analysis of Windows Physical Memory

IOSR Journals
IOSR Journals

Abstract: Memory forensics and data carving methods are usually used during volatile investigation and is nowadays a big area of interest. Volatile memory dump is used for offline analysis of live data. Live analysis of the running system gives the information of which events are going on. Volatile memory analysis can give the sensitive information such as User Ids, Passwords, Hidden Processes, Root kits, Sockets etc. which are not stored on the physical drive. This Paper represents various approaches and tools used to capture and analyse data from computer memory. Keywords: Memory forensics, RAM, sensitive information.

Engineering
1 of 5
Download to read offline
IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN: 2278-0661, p- ISSN: 2278-8727Volume 15, Issue 4 (Nov. - Dec. 2013), PP 76-80 www.iosrjournals.org www.iosrjournals.org 76 | Page Study on Live analysis of Windows Physical Memory Divyang Rahevar Institute of Forensic Science, Gujarat Forensic Sciences University, Gujarat, India Abstract: Memory forensics and data carving methods are usually used during volatile investigation and is nowadays a big area of interest. Volatile memory dump is used for offline analysis of live data. Live analysis of the running system gives the information of which events are going on. Volatile memory analysis can give the sensitive information such as User Ids, Passwords, Hidden Processes, Root kits, Sockets etc. which are not stored on the physical drive. This Paper represents various approaches and tools used to capture and analyse data from computer memory. Keywords: Memory forensics, RAM, sensitive information. I. Introduction The volatile data is referred to as stateful information from the subject system while it is remain powered on [1]. Memory forensics can be done by two approaches mainly Hardware based and Software based. For Analysing the Live Memory we have to first create the dump of the live system. There are so many Tools are available for dumping the memory. Why the investigator has to dump the live memory? When an investigator interacts with the live system there may be chances of the altering data which may cause loss of evidence. Digital evidence is very sensitive and can be easily altered. With live analysis data is collected from a running system [2]. II. Memory Dump There are mainly two approaches for acquire physical memory images: Hardware based tools and Software based tools. In this paper the focus is on the software based tools. There are so many tools available for capturing the live memory. These tools can give the image of the live RAM. Here I have explained two different tools for imaging the live memory. DumpIt is a compact portable tool which makes it easy to save the content of the physical memory [3]. The DumpIt tool is a very user-friendly just you have to double click on it and the below screen appear. Figure 1: Creating memory dump using DumpIt. When you run the DumpIt it will ask for the imaging .and shows the destination path to where the image has been created. After pressing „y‟ it will proceed for memory dump and creates the memory image at the destination path and shows the status „success‟. The file type is the .raw file. By using this dump file the investigator has to analyse the data which are stored in the RAM. There are some analysis tools which are discussed in next section.
Study on Live analysis of Windows Physical Memory www.iosrjournals.org 77 | Page The second software which I have used for memory dump is the FTK Imager from Access Data[4]. Figure 2: Memory capture using FTK Imager. By clicking on a capture Memory option the new window opens which asks about the destination path of the imaged memory. Figure 3: capture memory option using FTK Imager. The image file which is created by the FTK Imager is having .mem extension. This will capture the all the processes which are running at the time of imaging and also the dll files which are used by the processes. The live memory acquisition is very helpful in the forensic investigation. It will give the sensitive information which is not stored in the physical memory. It gives the information of the open ports, malwares and the unusual things happen to the machine. III. Memory Analysis After creating the dump of the live memory the next and important step is to analyse the memory. In this step the investigator has to analyse carefully because he/she can find the potential evidence from the memory image. By analysing the memory we can get the running processes, list of dlls which are running at a time, open ports, network connections. This information is commonly concerned by a forensic investigator [3]. There are different tools used for memory analysis also. Here I have explained some of them. For the best result of the memory analysis the tool is WinHex [5]. By using the searching ability from the image the Autopsy [6] is a very good tool for finding the sensitive data in a string format. Using Autopsy there are some interesting and sensitive data I found. First open the Autopsy and load the image to which we want to analyse.
Study on Live analysis of Windows Physical Memory www.iosrjournals.org 78 | Page Figure 4 : Memory analysis using Autopsy By loading the memory image it will gives the list of Email Addresses which are stored in the address book of email or captured from the websites visited. Figure 5: Email Ids stored in memory using Autopsy Analysing memory using Autopsy it will shows the Email messages which are store in the RAM. This may become the potential evidence. Figure 6: Email messages stored in memory dump Using Autopsy The keyword search is very important for analysing the live memory dump. By using key word searching it will become the faster to search the evidences. The Next tool which is used for memory analysis is the WinHex. The tool WinHex is in its core a universal hexadecimal editor, particularly helpful in computer forensics, data recovery, low-level data processing, IT security [7].
Study on Live analysis of Windows Physical Memory www.iosrjournals.org 79 | Page The WinHex has showed the visited websites from the memory dump. Figure 7: Visited websites using WinHex. Using this tool we can find lots of sensitive information. In this memory dump I have found the login in to some account which shows the username and password. Figure 8: Username and password using WinHex. As shown in the Autopsy, Here also we can get the information of email message. Here the user got an email message which is stored in the memory. Figure 9 : Email message showing in WinHex. These all are the information which we can get through different tools. The tools which are used for the analysing the memory have their different approach. The above tools are the graphical tools, there are some other tools which also do the memory analysis. The volatility framework is also used for the memory analysis. There are so many papers available for the volatility. The volatility is powerful and gives the information about the hidden processes, dll lists, open ports, malwares, and registry information [3]. The PTFinder is a perl script that can use for finding out processes and threads. This script searches for EPROCESS structures and perform a series of comparisons against rules to ensure the authenticity [8][9].
Study on Live analysis of Windows Physical Memory www.iosrjournals.org 80 | Page IV. Conclusion There are so many tools and techniques are available for memory acquisition and analysis. They all have different methods and different approaches. It is very good to find out the sensitive information from the memory. This is helpful for solving the cyber crimes. The data which is stored in the RAM are changes repeatedly. The data are overwritten every time. The tools which are used for analysis and capturing the memory have to be develop more powerful with coming years. References [1] Cutifa Safitri , “A Study: Volatility Forensic on Hidden Files”, International Journal of Science and Research (IJSR), India Online ISSN: 2319-7064 [2] Sasa Mrdovic, Alvin Huseinovic, Ernedin Zajko, “Combining Static and Live Digital Forensic Analysis in Virtual Environment” [3] Liming Cai, Jing Sha ,Wei Qian,” Study on Forensic Analysis of Physical Memory” [4] FTKImager download , http://www.accessdata.com/support/product-downloads [5] X-ways software Technology AG, WinHex Editor http://winhex.com/winhex/ [6] Autopsy download , http://www.sleuthkit.org/autopsy/ [7] Qian Zhao, Tianjie Cao, “Collecting Sensitive Information from Windows Physical Memory”, JOURNAL OF COMPUTERS, VOL. 4, NO. 1, JANUARY 2009 [8] Gabriela Limon Garcia,” Forensic physical memory analysis:an overview of tools and techniques ” [9] Andrea Schuster, Searching for processes and threads in Microsoft Windows memory dumps. Digital forensic research workgroup, 2007.

Recommended

An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...ijsrd.com
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the ArchiveGarethKnight
 
Computer system and it class 1
Computer system and it class 1Computer system and it class 1
Computer system and it class 1Sajib Mahmood
 
How to Recover Lost Files
How to Recover Lost FilesHow to Recover Lost Files
How to Recover Lost FilesYodot
 
Computer forensic lifecycle
Computer forensic lifecycleComputer forensic lifecycle
Computer forensic lifecycleComputer Forensic Expert
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Computer system organization unit i chapter 1
Computer system organization unit i chapter 1Computer system organization unit i chapter 1
Computer system organization unit i chapter 1vinodchand10
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 

Recommended

An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...ijsrd.com
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the ArchiveGarethKnight
 
Computer system and it class 1
Computer system and it class 1Computer system and it class 1
Computer system and it class 1Sajib Mahmood
 
How to Recover Lost Files
How to Recover Lost FilesHow to Recover Lost Files
How to Recover Lost FilesYodot
 
Computer forensic lifecycle
Computer forensic lifecycleComputer forensic lifecycle
Computer forensic lifecycleComputer Forensic Expert
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Computer system organization unit i chapter 1
Computer system organization unit i chapter 1Computer system organization unit i chapter 1
Computer system organization unit i chapter 1vinodchand10
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
AppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and ResponseAppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and Responsejtmelton
 
Open Source Monitoring in 2014, from #monitoringssucks to #monitoringlove and...
Open Source Monitoring in 2014, from #monitoringssucks to #monitoringlove and...Open Source Monitoring in 2014, from #monitoringssucks to #monitoringlove and...
Open Source Monitoring in 2014, from #monitoringssucks to #monitoringlove and...Kris Buytaert
 
Devops is not about Tooling
Devops is not about ToolingDevops is not about Tooling
Devops is not about ToolingKris Buytaert
 
Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017Bryce Kunz
 
Time to say goodbye to your Nagios based setup
Time to say goodbye to your Nagios based setupTime to say goodbye to your Nagios based setup
Time to say goodbye to your Nagios based setupCheck my Website
 
The Wireless Remote Control Car Based On Arm9
The Wireless Remote Control Car Based On Arm9The Wireless Remote Control Car Based On Arm9
The Wireless Remote Control Car Based On Arm9IOSR Journals
 
Vessels Extraction from Retinal Images
Vessels Extraction from Retinal ImagesVessels Extraction from Retinal Images
Vessels Extraction from Retinal ImagesIOSR Journals
 
C0561419
C0561419C0561419
C0561419IOSR Journals
 
A New Theory of the Structure of Matter
A New Theory of the Structure of MatterA New Theory of the Structure of Matter
A New Theory of the Structure of MatterIOSR Journals
 
Presenting a Pattern for Increasing the Relative Efficiency of the Bank by Us...
Presenting a Pattern for Increasing the Relative Efficiency of the Bank by Us...Presenting a Pattern for Increasing the Relative Efficiency of the Bank by Us...
Presenting a Pattern for Increasing the Relative Efficiency of the Bank by Us...IOSR Journals
 
Awareness of Orthodontic Treatment in School Children of Karnataka State – A ...
Awareness of Orthodontic Treatment in School Children of Karnataka State – A ...Awareness of Orthodontic Treatment in School Children of Karnataka State – A ...
Awareness of Orthodontic Treatment in School Children of Karnataka State – A ...IOSR Journals
 
An Investigation into the Antecedents of International Business Operations in...
An Investigation into the Antecedents of International Business Operations in...An Investigation into the Antecedents of International Business Operations in...
An Investigation into the Antecedents of International Business Operations in...IOSR Journals
 
Cationic and anionic dye adsorption by agricultural solid wastes: A comprehen...
Cationic and anionic dye adsorption by agricultural solid wastes: A comprehen...Cationic and anionic dye adsorption by agricultural solid wastes: A comprehen...
Cationic and anionic dye adsorption by agricultural solid wastes: A comprehen...IOSR Journals
 
Hybrid Algorithm for Dose Calculation in Cms Xio Treatment Planning System
Hybrid Algorithm for Dose Calculation in Cms Xio Treatment Planning SystemHybrid Algorithm for Dose Calculation in Cms Xio Treatment Planning System
Hybrid Algorithm for Dose Calculation in Cms Xio Treatment Planning SystemIOSR Journals
 
Neonatal Omphalitis in Iraq
Neonatal Omphalitis in IraqNeonatal Omphalitis in Iraq
Neonatal Omphalitis in IraqIOSR Journals
 
Enhancement of New Channel Equalizer Using Adaptive Neuro Fuzzy Inference System
Enhancement of New Channel Equalizer Using Adaptive Neuro Fuzzy Inference SystemEnhancement of New Channel Equalizer Using Adaptive Neuro Fuzzy Inference System
Enhancement of New Channel Equalizer Using Adaptive Neuro Fuzzy Inference SystemIOSR Journals
 
Structural analysis of the magnetic poles of the 20 MeV Injector Microtron.
Structural analysis of the magnetic poles of the 20 MeV Injector Microtron.Structural analysis of the magnetic poles of the 20 MeV Injector Microtron.
Structural analysis of the magnetic poles of the 20 MeV Injector Microtron.IOSR Journals
 
The Impact of International Businesses in a Global Economy: An Interdisciplin...
The Impact of International Businesses in a Global Economy: An Interdisciplin...The Impact of International Businesses in a Global Economy: An Interdisciplin...
The Impact of International Businesses in a Global Economy: An Interdisciplin...IOSR Journals
 
Comparison of PMD Compensation in WDM Systems
Comparison of PMD Compensation in WDM SystemsComparison of PMD Compensation in WDM Systems
Comparison of PMD Compensation in WDM SystemsIOSR Journals
 
Designing of CSIW Horn Antenna
Designing of CSIW Horn AntennaDesigning of CSIW Horn Antenna
Designing of CSIW Horn AntennaIOSR Journals
 
Live Forensics Analysis Method for Random Access Memory on Laptop Devices
Live Forensics Analysis Method for Random Access Memory on Laptop DevicesLive Forensics Analysis Method for Random Access Memory on Laptop Devices
Live Forensics Analysis Method for Random Access Memory on Laptop DevicesIJCSIS Research Publications
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Toolsijtsrd
 

More Related Content

Viewers also liked

AppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and ResponseAppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and Responsejtmelton
 
Open Source Monitoring in 2014, from #monitoringssucks to #monitoringlove and...
Open Source Monitoring in 2014, from #monitoringssucks to #monitoringlove and...Open Source Monitoring in 2014, from #monitoringssucks to #monitoringlove and...
Open Source Monitoring in 2014, from #monitoringssucks to #monitoringlove and...Kris Buytaert
 
Devops is not about Tooling
Devops is not about ToolingDevops is not about Tooling
Devops is not about ToolingKris Buytaert
 
Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017Bryce Kunz
 
Time to say goodbye to your Nagios based setup
Time to say goodbye to your Nagios based setupTime to say goodbye to your Nagios based setup
Time to say goodbye to your Nagios based setupCheck my Website
 
The Wireless Remote Control Car Based On Arm9
The Wireless Remote Control Car Based On Arm9The Wireless Remote Control Car Based On Arm9
The Wireless Remote Control Car Based On Arm9IOSR Journals
 
Vessels Extraction from Retinal Images
Vessels Extraction from Retinal ImagesVessels Extraction from Retinal Images
Vessels Extraction from Retinal ImagesIOSR Journals
 
A New Theory of the Structure of Matter
A New Theory of the Structure of MatterA New Theory of the Structure of Matter
A New Theory of the Structure of MatterIOSR Journals
 
Presenting a Pattern for Increasing the Relative Efficiency of the Bank by Us...
Presenting a Pattern for Increasing the Relative Efficiency of the Bank by Us...Presenting a Pattern for Increasing the Relative Efficiency of the Bank by Us...
Presenting a Pattern for Increasing the Relative Efficiency of the Bank by Us...IOSR Journals
 
Awareness of Orthodontic Treatment in School Children of Karnataka State – A ...
Awareness of Orthodontic Treatment in School Children of Karnataka State – A ...Awareness of Orthodontic Treatment in School Children of Karnataka State – A ...
Awareness of Orthodontic Treatment in School Children of Karnataka State – A ...IOSR Journals
 
An Investigation into the Antecedents of International Business Operations in...
An Investigation into the Antecedents of International Business Operations in...An Investigation into the Antecedents of International Business Operations in...
An Investigation into the Antecedents of International Business Operations in...IOSR Journals
 
Cationic and anionic dye adsorption by agricultural solid wastes: A comprehen...
Cationic and anionic dye adsorption by agricultural solid wastes: A comprehen...Cationic and anionic dye adsorption by agricultural solid wastes: A comprehen...
Cationic and anionic dye adsorption by agricultural solid wastes: A comprehen...IOSR Journals
 
Hybrid Algorithm for Dose Calculation in Cms Xio Treatment Planning System
Hybrid Algorithm for Dose Calculation in Cms Xio Treatment Planning SystemHybrid Algorithm for Dose Calculation in Cms Xio Treatment Planning System
Hybrid Algorithm for Dose Calculation in Cms Xio Treatment Planning SystemIOSR Journals
 
Neonatal Omphalitis in Iraq
Neonatal Omphalitis in IraqNeonatal Omphalitis in Iraq
Neonatal Omphalitis in IraqIOSR Journals
 
Enhancement of New Channel Equalizer Using Adaptive Neuro Fuzzy Inference System
Enhancement of New Channel Equalizer Using Adaptive Neuro Fuzzy Inference SystemEnhancement of New Channel Equalizer Using Adaptive Neuro Fuzzy Inference System
Enhancement of New Channel Equalizer Using Adaptive Neuro Fuzzy Inference SystemIOSR Journals
 
Structural analysis of the magnetic poles of the 20 MeV Injector Microtron.
Structural analysis of the magnetic poles of the 20 MeV Injector Microtron.Structural analysis of the magnetic poles of the 20 MeV Injector Microtron.
Structural analysis of the magnetic poles of the 20 MeV Injector Microtron.IOSR Journals
 
The Impact of International Businesses in a Global Economy: An Interdisciplin...
The Impact of International Businesses in a Global Economy: An Interdisciplin...The Impact of International Businesses in a Global Economy: An Interdisciplin...
The Impact of International Businesses in a Global Economy: An Interdisciplin...IOSR Journals
 
Comparison of PMD Compensation in WDM Systems
Comparison of PMD Compensation in WDM SystemsComparison of PMD Compensation in WDM Systems
Comparison of PMD Compensation in WDM SystemsIOSR Journals
 
Designing of CSIW Horn Antenna
Designing of CSIW Horn AntennaDesigning of CSIW Horn Antenna
Designing of CSIW Horn AntennaIOSR Journals
 

Viewers also liked (20)

AppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and ResponseAppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and Response
 
Open Source Monitoring in 2014, from #monitoringssucks to #monitoringlove and...
Open Source Monitoring in 2014, from #monitoringssucks to #monitoringlove and...Open Source Monitoring in 2014, from #monitoringssucks to #monitoringlove and...
Open Source Monitoring in 2014, from #monitoringssucks to #monitoringlove and...
 
Devops is not about Tooling
Devops is not about ToolingDevops is not about Tooling
Devops is not about Tooling
 
Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017
 
Time to say goodbye to your Nagios based setup
Time to say goodbye to your Nagios based setupTime to say goodbye to your Nagios based setup
Time to say goodbye to your Nagios based setup
 
The Wireless Remote Control Car Based On Arm9
The Wireless Remote Control Car Based On Arm9The Wireless Remote Control Car Based On Arm9
The Wireless Remote Control Car Based On Arm9
 
Vessels Extraction from Retinal Images
Vessels Extraction from Retinal ImagesVessels Extraction from Retinal Images
Vessels Extraction from Retinal Images
 
C0561419
C0561419C0561419
C0561419
 
A New Theory of the Structure of Matter
A New Theory of the Structure of MatterA New Theory of the Structure of Matter
A New Theory of the Structure of Matter
 
Presenting a Pattern for Increasing the Relative Efficiency of the Bank by Us...
Presenting a Pattern for Increasing the Relative Efficiency of the Bank by Us...Presenting a Pattern for Increasing the Relative Efficiency of the Bank by Us...
Presenting a Pattern for Increasing the Relative Efficiency of the Bank by Us...
 
Awareness of Orthodontic Treatment in School Children of Karnataka State – A ...
Awareness of Orthodontic Treatment in School Children of Karnataka State – A ...Awareness of Orthodontic Treatment in School Children of Karnataka State – A ...
Awareness of Orthodontic Treatment in School Children of Karnataka State – A ...
 
An Investigation into the Antecedents of International Business Operations in...
An Investigation into the Antecedents of International Business Operations in...An Investigation into the Antecedents of International Business Operations in...
An Investigation into the Antecedents of International Business Operations in...
 
Cationic and anionic dye adsorption by agricultural solid wastes: A comprehen...
Cationic and anionic dye adsorption by agricultural solid wastes: A comprehen...Cationic and anionic dye adsorption by agricultural solid wastes: A comprehen...
Cationic and anionic dye adsorption by agricultural solid wastes: A comprehen...
 
Hybrid Algorithm for Dose Calculation in Cms Xio Treatment Planning System
Hybrid Algorithm for Dose Calculation in Cms Xio Treatment Planning SystemHybrid Algorithm for Dose Calculation in Cms Xio Treatment Planning System
Hybrid Algorithm for Dose Calculation in Cms Xio Treatment Planning System
 
Neonatal Omphalitis in Iraq
Neonatal Omphalitis in IraqNeonatal Omphalitis in Iraq
Neonatal Omphalitis in Iraq
 
Enhancement of New Channel Equalizer Using Adaptive Neuro Fuzzy Inference System
Enhancement of New Channel Equalizer Using Adaptive Neuro Fuzzy Inference SystemEnhancement of New Channel Equalizer Using Adaptive Neuro Fuzzy Inference System
Enhancement of New Channel Equalizer Using Adaptive Neuro Fuzzy Inference System
 
Structural analysis of the magnetic poles of the 20 MeV Injector Microtron.
Structural analysis of the magnetic poles of the 20 MeV Injector Microtron.Structural analysis of the magnetic poles of the 20 MeV Injector Microtron.
Structural analysis of the magnetic poles of the 20 MeV Injector Microtron.
 
The Impact of International Businesses in a Global Economy: An Interdisciplin...
The Impact of International Businesses in a Global Economy: An Interdisciplin...The Impact of International Businesses in a Global Economy: An Interdisciplin...
The Impact of International Businesses in a Global Economy: An Interdisciplin...
 
Comparison of PMD Compensation in WDM Systems
Comparison of PMD Compensation in WDM SystemsComparison of PMD Compensation in WDM Systems
Comparison of PMD Compensation in WDM Systems
 
Designing of CSIW Horn Antenna
Designing of CSIW Horn AntennaDesigning of CSIW Horn Antenna
Designing of CSIW Horn Antenna
 

Similar to Study on Live analysis of Windows Physical Memory

Live Forensics Analysis Method for Random Access Memory on Laptop Devices
Live Forensics Analysis Method for Random Access Memory on Laptop DevicesLive Forensics Analysis Method for Random Access Memory on Laptop Devices
Live Forensics Analysis Method for Random Access Memory on Laptop DevicesIJCSIS Research Publications
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Toolsijtsrd
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics reportyash sawarkar
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
 
ICT741 Digital Forensics.docx
ICT741 Digital Forensics.docxICT741 Digital Forensics.docx
ICT741 Digital Forensics.docxwrite4
 
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...theijes
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsSamantha Vargas
 
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdf
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdfHow to Use Linux Forensic Analysis Tools for Digital Investigations.pdf
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdfuzair
 
Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...
Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...
Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...IJCSIS Research Publications
 
Experimental Analysis of Web Browser Sessions Using Live Forensics Method
Experimental Analysis of Web Browser Sessions Using Live Forensics Method Experimental Analysis of Web Browser Sessions Using Live Forensics Method
Experimental Analysis of Web Browser Sessions Using Live Forensics Method IJECEIAES
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 
Live memory analysis tools and techniques in linux environment tech foring
Live memory analysis tools and techniques in linux environment tech foringLive memory analysis tools and techniques in linux environment tech foring
Live memory analysis tools and techniques in linux environment tech foringSheikh Foyjul Islam
 
6950SafeAssign Originality ReportDigital Fore.docx
6950SafeAssign Originality ReportDigital Fore.docx6950SafeAssign Originality ReportDigital Fore.docx
6950SafeAssign Originality ReportDigital Fore.docxpriestmanmable
 
6950SafeAssign Originality ReportDigital Fore.docx
6950SafeAssign Originality ReportDigital Fore.docx6950SafeAssign Originality ReportDigital Fore.docx
6950SafeAssign Originality ReportDigital Fore.docxblondellchancy
 

Similar to Study on Live analysis of Windows Physical Memory (20)

Live Forensics Analysis Method for Random Access Memory on Laptop Devices
Live Forensics Analysis Method for Random Access Memory on Laptop DevicesLive Forensics Analysis Method for Random Access Memory on Laptop Devices
Live Forensics Analysis Method for Random Access Memory on Laptop Devices
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Tools
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
ICT741 Digital Forensics.docx
ICT741 Digital Forensics.docxICT741 Digital Forensics.docx
ICT741 Digital Forensics.docx
 
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
 
Assingment 5 - ENSA
Assingment 5 - ENSAAssingment 5 - ENSA
Assingment 5 - ENSA
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis Tools
 
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdf
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdfHow to Use Linux Forensic Analysis Tools for Digital Investigations.pdf
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdf
 
Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...
Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...
Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...
 
Experimental Analysis of Web Browser Sessions Using Live Forensics Method
Experimental Analysis of Web Browser Sessions Using Live Forensics Method Experimental Analysis of Web Browser Sessions Using Live Forensics Method
Experimental Analysis of Web Browser Sessions Using Live Forensics Method
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
Live memory analysis tools and techniques in linux environment tech foring
Live memory analysis tools and techniques in linux environment tech foringLive memory analysis tools and techniques in linux environment tech foring
Live memory analysis tools and techniques in linux environment tech foring
 
6950SafeAssign Originality ReportDigital Fore.docx
6950SafeAssign Originality ReportDigital Fore.docx6950SafeAssign Originality ReportDigital Fore.docx
6950SafeAssign Originality ReportDigital Fore.docx
 
6950SafeAssign Originality ReportDigital Fore.docx
6950SafeAssign Originality ReportDigital Fore.docx6950SafeAssign Originality ReportDigital Fore.docx
6950SafeAssign Originality ReportDigital Fore.docx
 
A44090104
A44090104A44090104
A44090104
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
3170725_Unit-4.pptx
3170725_Unit-4.pptx3170725_Unit-4.pptx
3170725_Unit-4.pptx
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 

More from IOSR Journals

More from IOSR Journals (20)

A011140104
A011140104A011140104
A011140104
 
M0111397100
M0111397100M0111397100
M0111397100
 
L011138596
L011138596L011138596
L011138596
 
K011138084
K011138084K011138084
K011138084
 
J011137479
J011137479J011137479
J011137479
 
I011136673
I011136673I011136673
I011136673
 
G011134454
G011134454G011134454
G011134454
 
H011135565
H011135565H011135565
H011135565
 
F011134043
F011134043F011134043
F011134043
 
E011133639
E011133639E011133639
E011133639
 
D011132635
D011132635D011132635
D011132635
 
C011131925
C011131925C011131925
C011131925
 
B011130918
B011130918B011130918
B011130918
 
A011130108
A011130108A011130108
A011130108
 
I011125160
I011125160I011125160
I011125160
 
H011124050
H011124050H011124050
H011124050
 
G011123539
G011123539G011123539
G011123539
 
F011123134
F011123134F011123134
F011123134
 
E011122530
E011122530E011122530
E011122530
 
D011121524
D011121524D011121524
D011121524
 

Recently uploaded

An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...Chandu841456
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptSAURABHKUMAR892774
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction managementMariconPadriquez1
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfAsst.prof M.Gokilavani
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Satyam Kumar
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...121011101441
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEroselinkalist12
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvLewisJB
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleAlluxio, Inc.
 

Recently uploaded (20)

An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.ppt
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction management
 
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at Scale
 

Study on Live analysis of Windows Physical Memory

  • 1. IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN: 2278-0661, p- ISSN: 2278-8727Volume 15, Issue 4 (Nov. - Dec. 2013), PP 76-80 www.iosrjournals.org www.iosrjournals.org 76 | Page Study on Live analysis of Windows Physical Memory Divyang Rahevar Institute of Forensic Science, Gujarat Forensic Sciences University, Gujarat, India Abstract: Memory forensics and data carving methods are usually used during volatile investigation and is nowadays a big area of interest. Volatile memory dump is used for offline analysis of live data. Live analysis of the running system gives the information of which events are going on. Volatile memory analysis can give the sensitive information such as User Ids, Passwords, Hidden Processes, Root kits, Sockets etc. which are not stored on the physical drive. This Paper represents various approaches and tools used to capture and analyse data from computer memory. Keywords: Memory forensics, RAM, sensitive information. I. Introduction The volatile data is referred to as stateful information from the subject system while it is remain powered on [1]. Memory forensics can be done by two approaches mainly Hardware based and Software based. For Analysing the Live Memory we have to first create the dump of the live system. There are so many Tools are available for dumping the memory. Why the investigator has to dump the live memory? When an investigator interacts with the live system there may be chances of the altering data which may cause loss of evidence. Digital evidence is very sensitive and can be easily altered. With live analysis data is collected from a running system [2]. II. Memory Dump There are mainly two approaches for acquire physical memory images: Hardware based tools and Software based tools. In this paper the focus is on the software based tools. There are so many tools available for capturing the live memory. These tools can give the image of the live RAM. Here I have explained two different tools for imaging the live memory. DumpIt is a compact portable tool which makes it easy to save the content of the physical memory [3]. The DumpIt tool is a very user-friendly just you have to double click on it and the below screen appear. Figure 1: Creating memory dump using DumpIt. When you run the DumpIt it will ask for the imaging .and shows the destination path to where the image has been created. After pressing „y‟ it will proceed for memory dump and creates the memory image at the destination path and shows the status „success‟. The file type is the .raw file. By using this dump file the investigator has to analyse the data which are stored in the RAM. There are some analysis tools which are discussed in next section.
  • 2. Study on Live analysis of Windows Physical Memory www.iosrjournals.org 77 | Page The second software which I have used for memory dump is the FTK Imager from Access Data[4]. Figure 2: Memory capture using FTK Imager. By clicking on a capture Memory option the new window opens which asks about the destination path of the imaged memory. Figure 3: capture memory option using FTK Imager. The image file which is created by the FTK Imager is having .mem extension. This will capture the all the processes which are running at the time of imaging and also the dll files which are used by the processes. The live memory acquisition is very helpful in the forensic investigation. It will give the sensitive information which is not stored in the physical memory. It gives the information of the open ports, malwares and the unusual things happen to the machine. III. Memory Analysis After creating the dump of the live memory the next and important step is to analyse the memory. In this step the investigator has to analyse carefully because he/she can find the potential evidence from the memory image. By analysing the memory we can get the running processes, list of dlls which are running at a time, open ports, network connections. This information is commonly concerned by a forensic investigator [3]. There are different tools used for memory analysis also. Here I have explained some of them. For the best result of the memory analysis the tool is WinHex [5]. By using the searching ability from the image the Autopsy [6] is a very good tool for finding the sensitive data in a string format. Using Autopsy there are some interesting and sensitive data I found. First open the Autopsy and load the image to which we want to analyse.
  • 3. Study on Live analysis of Windows Physical Memory www.iosrjournals.org 78 | Page Figure 4 : Memory analysis using Autopsy By loading the memory image it will gives the list of Email Addresses which are stored in the address book of email or captured from the websites visited. Figure 5: Email Ids stored in memory using Autopsy Analysing memory using Autopsy it will shows the Email messages which are store in the RAM. This may become the potential evidence. Figure 6: Email messages stored in memory dump Using Autopsy The keyword search is very important for analysing the live memory dump. By using key word searching it will become the faster to search the evidences. The Next tool which is used for memory analysis is the WinHex. The tool WinHex is in its core a universal hexadecimal editor, particularly helpful in computer forensics, data recovery, low-level data processing, IT security [7].
  • 4. Study on Live analysis of Windows Physical Memory www.iosrjournals.org 79 | Page The WinHex has showed the visited websites from the memory dump. Figure 7: Visited websites using WinHex. Using this tool we can find lots of sensitive information. In this memory dump I have found the login in to some account which shows the username and password. Figure 8: Username and password using WinHex. As shown in the Autopsy, Here also we can get the information of email message. Here the user got an email message which is stored in the memory. Figure 9 : Email message showing in WinHex. These all are the information which we can get through different tools. The tools which are used for the analysing the memory have their different approach. The above tools are the graphical tools, there are some other tools which also do the memory analysis. The volatility framework is also used for the memory analysis. There are so many papers available for the volatility. The volatility is powerful and gives the information about the hidden processes, dll lists, open ports, malwares, and registry information [3]. The PTFinder is a perl script that can use for finding out processes and threads. This script searches for EPROCESS structures and perform a series of comparisons against rules to ensure the authenticity [8][9].
  • 5. Study on Live analysis of Windows Physical Memory www.iosrjournals.org 80 | Page IV. Conclusion There are so many tools and techniques are available for memory acquisition and analysis. They all have different methods and different approaches. It is very good to find out the sensitive information from the memory. This is helpful for solving the cyber crimes. The data which is stored in the RAM are changes repeatedly. The data are overwritten every time. The tools which are used for analysis and capturing the memory have to be develop more powerful with coming years. References [1] Cutifa Safitri , “A Study: Volatility Forensic on Hidden Files”, International Journal of Science and Research (IJSR), India Online ISSN: 2319-7064 [2] Sasa Mrdovic, Alvin Huseinovic, Ernedin Zajko, “Combining Static and Live Digital Forensic Analysis in Virtual Environment” [3] Liming Cai, Jing Sha ,Wei Qian,” Study on Forensic Analysis of Physical Memory” [4] FTKImager download , http://www.accessdata.com/support/product-downloads [5] X-ways software Technology AG, WinHex Editor http://winhex.com/winhex/ [6] Autopsy download , http://www.sleuthkit.org/autopsy/ [7] Qian Zhao, Tianjie Cao, “Collecting Sensitive Information from Windows Physical Memory”, JOURNAL OF COMPUTERS, VOL. 4, NO. 1, JANUARY 2009 [8] Gabriela Limon Garcia,” Forensic physical memory analysis:an overview of tools and techniques ” [9] Andrea Schuster, Searching for processes and threads in Microsoft Windows memory dumps. Digital forensic research workgroup, 2007.