Memory Forensic: Comparing the correctness of memory captures from locked Windows 10 machines using different boot capture vectors



Título del documento: Memory Forensic: Comparing the correctness of memory captures from locked Windows 10 machines using different boot capture vectors
Revista: Latin-American Journal of Computing (LAJC)
Base de datos: PERIÓDICA
Número de sistema: 000450398
ISSN: 1390-9134
Autores: 1
1
Instituciones: 1Sheffield Hallam University, Department of Computing, Sheffield, Yorkshire. Reino Unido
Año:
Periodo: Jul-Dic
Volumen: 9
Número: 2
Paginación: 36-51
País: Ecuador
Idioma: Inglés
Tipo de documento: Artículo
Enfoque: Analítico, crítico
Resumen en inglés Memory forensics is rapidly becoming a critical part of all digital forensic investigations. The value of information stored within a computers memory is immense; failing to capture it could result in a substantial loss of evidence. However, it is becoming increasingly more common to find situations where standard memory acquisition tools do not work. The paper addresses how an investigator can capture the memory of a locked computer when authentication is not present. The proposed solution is to use a bootable memory acquisition tool, in this case, Passware Bootable Memory Imager. To enhance the findings, three different reboot methods will be tested to help identify what would happen if the recommended warm reboot is not possible. Using a warm reboot and a secure reboot, Passware Bootable Memory Imager was able to successfully acquire the memory of the locked machine, with the resulting captures being highly representative of the populated data. However, the memory samples collected after a cold reboot did not retain any populated data. These findings highlight that to capture the memory of a locked machine, the reboot method is highly successful, providing the correct method is followed
Disciplinas: Ciencias de la computación
Palabras clave: Programación,
Ciencia forense digital,
Memoria forense,
Adquisición,
Análisis,
Passware bootable memory imager,
Autenticación
Keyword: Programming,
Digital forensics,
Memory forensics,
Acquisition,
Analysis,
Passware bootable memory imager,
Authentication
Texto completo: Texto completo (Ver PDF)