The Study Of Technology Of Memory Forensics Analysis Based On Association Of Data On Windows Platform

As computer science and network develop faster and faster, more and more cybercrime has appeared. This situation is seriously harmful to the society. So the discipline called computer forensics which aims at dealing with cybercrime has become more and more important. Computer forensics includes disk forensics and memory forensics. As rapidly development of computer technology, the volume of disk grows larger and the technology of encryption develops. Then disk forensics can not get digital evidence alone. Memory forensics is a new direction of computer forensics, which aims to obtain evidence from the volatile information in computer memory. So the new technology of forensics analysis combines disk forensics and memory forensics to get the evidence.Nowadays, all the methods of forensics analysis use disk forensics or memory forensics alone. And in memory forensics these methods only analyze one kind of data in memory in one time, like file, registry, and network packet. So the result of the analysis is simple, which cannot combine all kinds of data in the memoy with each other.In this thesis, we propose a forensics analysis method for association of data. This method can analyze the data in the disk and memory and find the relation of these data. Then we can associate data with other data based on the relation and generate the relationship graph of the data.The difference between our methods and existing methods is that our method will use different kinds of association ways to associate processes, files, users, dynamic link libs to analysis. And we originally associate memory with disk to combine the data. Then we use some experiments that simulate cybercrime to show how our methods work. In the experiments we use several association methods to memory data association and get many relationship graphs of the data. Through the experimens we can show that our methods for association of data not only can present the final analysis result in a friendly way but also can help forensics staffs infer the cybercrime situation and rebuild the events.