Research On Memory Volatile Data Forensics Analysis Based On Windows

They play increasingly important roles in the development of the information age thatare computers and other intelligent information equipments. With the further developmentand popularization of the Internet, information technology, it not only advancedsocialproductive, but also subtle change people to live and work conveniently. Althoughcomputers and other intelligent devices take human convenient, it cause a lot of informationsecurity issues.According to annual report released by National Computer Network EmergencyResponse and Coordination Center in2011，the information security situation in the futurewill be more complex. In2010, the detection statistics shows that Trojan control serverIP total of479,626and the total number of10,317,169host IP, which is a substantial increaseof274.9%compared to2009.Fly off worm broke out in2010, according to the NationalComputer Network Emergency Response and Coordination Centre in December2010samplemonitoring results, the global Internet has more than60million host IP have the fly off worminfection. This shows that the current use of computers and networks to commit the crime agrowing problem, a serious threat to social harmony and stability. Only through theinformation security technology to prevent computer-related crime can not fundamentallysolve the increasingly serious information security threats, it is necessary to constraint onpeople’s behavior under the legal system specification in modern society.In traditional computer forensics investigator always close computer involved in crime,and then use plug and play devices to complete copy of the computer’s disk data. After thatthey take the mirrored data back laboratory for analysis.However, with the continuous development of computer hardware level, large-capacitymemory is widely used, and a variety of encryption and anti-forensics techniques appear,resulting in the loss of a lot of valuable information in traditional forensics process. Thevolatile data in the computer’s memory may contain critical information on criminal acts,such as used to encrypt the password information, the state of the system in the process ofcriminal behavior, traces of using anti-forensic tools. It can be easily be overlooked in the process of analysis of disk data by investigators that are malicious software or system-levelbackdoor and other related information.In recent years the computer volatile data forensics analysis gets more and more theattention of the judicial and computer security experts. Memory forensic analysis focuses onobtaining relevant information with crime from the physical memory. Recently years memoryforensics analysis process can search readable text strings or keywords from the memorymirroring but for getting more useful information, the analysis work must be running in thecontext of environment and metadata information with understanding of data structures andbackground linked with the crime. It is critical to the memory forensic analysis that theinvestigators can accurately identify the data and specific correlation in the memorymirroring.We present a chain of evidence oriented model for analysis of digital forensic data fromvolatile system memory. It allows analysts no longer confine to the traditional analysis of thedigital forensic data taken by single evidence-oriented analysis, but focus on higher abstractlevel about the relevance among independent evidences, from the legal point of view, this isan analysis pattern oriented chain construction. Since digital forensic data from volatilesystem memory possesses distinctive features as follows: volatility; transient; phased stability;complexity; relevance of collected data and phased behavior predictability, adoption of themodel have three advantages. First, we can better understand the purpose of a series ofoperations of user by extension from user single operation analysis to behavior analysis;second, breaking the confinement of only attaining evidence of volatile system memory at thedata collected moment, by analyzing the relevance of all evidence at one moment, we caninfer the user’s behaviors during a period of time. Third, application of relevance analysis inreconstruction of evidence chain can address these issues in law enforcement.