This paper proposesa complete schemeto memory forensicsfor computer crimesunder multiple scenarios. The scheme can take advantage of multiple single evidence,which is obtained from the memory, to reason cases and reconstruct evidencechains.By finding the relevance between the evidence in memory, the scheme uses thecorrelation analysis algorithm of this article to calculate correlationbetweentheevidence, and further to analyze the criminal cases occurred. In order to verify thevalidity of analytical methods, the paper simulates a computer crime scene in theexperimental part, and uses simulation to establish a set of experimentaldata.Analysisresults of the experiment indicate that this correlation analysis methodcan not only help investigators find evidence that has relevance in the memory data leftin the crime scene, it can also effectively identify those Computer Crime processcontaining legitimate user behavior. |