Utilizing Program's Execution Data for Digital Forensics
Proceeding: The Third International Conference on Digital Security and Forensics (DigitalSec2016)Publication Date: 2016-09-06
Authors : Ziad Al-Sharif;
Page : 12-19
Keywords : Digital Forensics; Memory Forensics; Memory Dumps; Carving Variable Values; String Variables; C Programs;
Abstract
Criminals use computers and software to perform their crimes or to cover their misconducts. Main memory or RAM encompasses vibrant information about a system including its active processes. Program's variables data and value vary in their scope and duration in RAM. This paper exploits program's execution state and its dataflow to obtain evidence of the software usage. It extracts information left by program execution in support for legal actions against perpetrators. Our investigation model assumes no information is provided by the operating system; only raw RAM dumps. Our methodology employs information from the target program source code. This paper targets C programs that are used on Unix based systems. Several experiments are designed to show that scope and storage information of various source code variables can be used to identify program's activities. Results show that investigators have good chances locating various variables' values even after the process is stopped.
Other Latest Articles
- An Evidence Collection and Analysis of Ubuntu File System
- The Study of Automobile-Used Voice-Activity Detection System Based on Two-Dimensional Long-Time and Short-Frequency Spectral Entropy
- Automatic Car Park Management System Using Face and Vehicle Registration Recognition
- Influence of Temperature on Flow Electrification Characteristics of Oil-Pressboard Insulation
- Analysis on the Characteristics of Lighting Invasion Wave in the Substation
Last modified: 2016-09-11 23:54:01