NUST Institutional Repository
Windows Memory Forensics Tools Specification, Test Assertions and Test Plan
- DSpace Home
- →
- E-Theses
- →
- SEECS
- →
- Information Security
- →
- MS
- →
- View Item
JavaScript is disabled for your browser. Some features of this site may not work without it.
| dc.contributor.author | Zia ur Rehman | |
| dc.date.accessioned | 2020-12-09T07:44:38Z | |
| dc.date.available | 2020-12-09T07:44:38Z | |
| dc.date.issued | 2017 | |
| dc.identifier.uri | http://10.250.8.41:8080/xmlui/handle/123456789/17233 | |
| dc.description | Supervisor: Dr. Shahazad Saleem | en_US |
| dc.description.abstract | In any forensic investigation involving the extraction of evidence from a computing device, the investigator looks into two major sources of information; the storage device and the computer memory. While the former involves making static acquisitions mainly and obtaining non-volatile data through that, the latter deals with live acquisitions and the acquisition of volatile data. Carrying out these live acquisitions means the investigator bypasses the usual forensic procedures of hashing and preserving integrity, as live acquisitions can hardly ever be reproducible. However such acquisitions and analysis of main memory is becoming a necessity for the investigators. This owes to the fact that a lot of data of evidentiary value lies in the computer’s memory. Moreover, many remnants of user and applications sometimes can only be found from the main memory. For instance, encryption passwords, network communication (including passwords/keys travelling over the network, live chat sessions etc.), open files or registry keys for a running process, unpacked/decrypted version of a program and memory resident malware are all sources of information that can help reconstruct a case story. In order to ease out this process for forensic investigators, a number of tools have been developed for memory image acquisition and analysis. However, a standard framework from where an investigator can draw the major requirements for such a tool is still missing in the current literature. As part of their project Computer Forensic Tool Testing (CFTT), National Institute of Standards and Technology (NIST) has published a standard titled, “Smart Phone Tool Specification, Smart Phone Tool Test Assertions and Test Plan”. We have utilized these standards to build upon a framework on an exactly similar format, but for laying down the requirements for memory analysis tools. Since the structure and format is similar to the NIST standards, the terminologies utilized in this framework are also the same. Therefore, the terms, “Test requirements, test cases and test assertions are analogous to those present in NIST standards. We have evaluated six tools using our proposed framework as a case study. The results are presented in our thesis. | en_US |
| dc.publisher | SEECS, National University of Sciences and Technology, Islamabad | en_US |
| dc.subject | Memory forensics, live acquisitions, integrity, registry keys, Test requirements, Test assertion, Test cases. | en_US |
| dc.title | Windows Memory Forensics Tools Specification, Test Assertions and Test Plan | en_US |
| dc.type | Thesis | en_US |
Files in this item
This item appears in the following Collection(s)
-
MS [146]