Extracting Forensic Artifacts from Windows O/S Memory

Authors

James S. Okolica, Air Force Institute of Technology
Gilbert L. Peterson, Air Force Institute of Technology

Document Type

Article

Publication Date

8-2011

Abstract

Memory analysis is a rapidly growing area in both digital forensics and cyber situational awareness (SA). Memory provides the most accurate snapshot of what is occurring on a computer at a moment in time. By combining it with event and network logs as well as the files present on the filesystem, an analyst can re-create much of what has occurred and is occuring on a computer. The Compiled Memory Analysis Tool (CMAT) takes either a disk image of memory from a Windows operating system or an interface into a virtual machine running a Windows operating system and extracts forensic artifacts including general system information, loaded system modules, the active processes, the files and registry keys accessed by those processes, the network connections established by the processes, the dynamic link libraries loaded by the processes, and the contents of the Windows clipboard. Operators and investigators can either take these artifacts and analyze them directly or use them as input into more complex cyber SA and digital forensics analysis tools.

Recommended Citation

Peterson, G., & Okolica, J. (2011). Extracting Forensic Artifacts from Windows O/S Memory (AFIT/EN/TR-11-02). https://doi.org/10.21236/ADA548397

DTIC Accession Number

ADA548397

Document / Report Number

AFIT-EN-TR-11-02