Skip to main content
SpringerLink
Log in

Network Connections Information Extraction of 64-Bit Windows 7 Memory Images

  • Conference paper
Forensics in Telecommunications, Information, and Multimedia (e-Forensics 2010)

Abstract

Memory analysis technique is a key element of computer live forensics, and how to get status information of network connections is one of the difficulties of memory analysis and plays an important roles in identifying attack sources. It is more difficult to find the drivers and get network connections information from a 64-bit win7 memory image file than its from a 32-bit operating system memory image file. In a this paper, We will describe the approachs to find drivers and get network connection information from windows 7 memory images. This method is reliable and efficient. It is verified on Windows version 6.1.7600.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Wang, L., Zhang, R., Zhang, S.: A Model of Computer Live Forensics Based on Physical Memory Analysis. In: ICISE 2009, Nanjing China (December 2009)

    Google Scholar 

  2. Schuster, A.: Searching for Processes and Threads in Microsoft Windows Memory Dumps. In: Proceedings of the 2006 Digital Forensic Research Workshop, DFRWS (2006)

    Google Scholar 

  3. Burdach, M.: An Introduction to Windows Memory Forensic[OL] (July 2005), http://forensic.seccure.net/pdf/introduction_to_windows_memory_forensic.pdf

  4. Burdachz, M.: Digital Forensics of the Physical Memory [OL] (March 2005), http://forensic.seccure.net/pdf/mburdach_digital_forensics_of_physical_memory.pdf

  5. Walters, A., Petronni Jr., N.L.: Volatools: Integrating volatile Memory Forensics into the Digital Investigation Process. In: Black Hat DC (2007)

    Google Scholar 

  6. Volatile Systems: The Volatility Framework: Volatile memory artifact extraction utility framework (accessed, June 2009), https://www.volatilesystems.com/default/volatility/

  7. Andreas, S.: Pool allocations as an information source in windows memory forensics. In: Oliver, G., Dirk, S., Sandra, F., Hardo, H., Detlef, G., Jens, N. (eds.) IT-incident management & IT-forensics-IMF 2006, October 18. Lecture notes in informatics, vol. P-97, pp. 104–115 (2006b)

    Google Scholar 

  8. Zhang, R., Wang, L., Zhang, S.: Windows Memory Analysis Based on KPCR. In: Fifth International Conference on Information Assurance and Security, IAS 2009, vol. 2, pp. 677–680 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Shandong Computer Science Center, Shandong Provincial Key Laboratory of Computer Network, 19 Keyuan Road, Jinan, 250014, P.R. China

    Lianhai Wang, Lijuan Xu & Shuhui Zhang

Authors
  1. Lianhai Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lijuan Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shuhui Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Shanghai Jiao Tong University, 800 Dong Chuan Road, 200240, Shanghai, P.R. China

    Xuejia Lai  & Dawu Gu  & 

  2. The 3rd Research Institute of Ministry of Public Security, 339 bi Shen Road, A 303, Zhang Jiang, Pu Dong, 210031, Shangahi, P.R. China

    Bo Jin

  3. East China University of Political Science and Law, No. 555, Longyuan Road, Songjiang District, 201620, Shanghai, China

    Yongquan Wang

  4. Xidian University, P.O. Box 101, 710071, Xian, Shaanxi, P.R. China

    Hui Li

Rights and permissions

Reprints and permissions

Copyright information

© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Wang, L., Xu, L., Zhang, S. (2011). Network Connections Information Extraction of 64-Bit Windows 7 Memory Images. In: Lai, X., Gu, D., Jin, B., Wang, Y., Li, H. (eds) Forensics in Telecommunications, Information, and Multimedia. e-Forensics 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 56. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23602-0_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-23602-0_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-23601-3

  • Online ISBN: 978-3-642-23602-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation