ResearchBib Share Your Research, Maximize Your Social Impacts
Sign for Notice Everyday Sign up >> Login

Utilizing Program's Execution Data for Digital Forensics

Proceeding: The Third International Conference on Digital Security and Forensics (DigitalSec2016)

Publication Date:

Authors : ;

Page : 12-19

Keywords : Digital Forensics; Memory Forensics; Memory Dumps; Carving Variable Values; String Variables; C Programs;

Source : Downloadexternal Find it from : Google Scholarexternal

Abstract

Criminals use computers and software to perform their crimes or to cover their misconducts. Main memory or RAM encompasses vibrant information about a system including its active processes. Program's variables data and value vary in their scope and duration in RAM. This paper exploits program's execution state and its dataflow to obtain evidence of the software usage. It extracts information left by program execution in support for legal actions against perpetrators. Our investigation model assumes no information is provided by the operating system; only raw RAM dumps. Our methodology employs information from the target program source code. This paper targets C programs that are used on Unix based systems. Several experiments are designed to show that scope and storage information of various source code variables can be used to identify program's activities. Results show that investigators have good chances locating various variables' values even after the process is stopped.

Last modified: 2016-09-11 23:54:01