Abstract
Memory analysis technique is a key element of computer live forensics, and how to get status information of network connections is one of the difficulties of memory analysis and plays an important roles in identifying attack sources. It is more difficult to find the drivers and get network connections information from a 64-bit win7 memory image file than its from a 32-bit operating system memory image file. In a this paper, We will describe the approachs to find drivers and get network connection information from windows 7 memory images. This method is reliable and efficient. It is verified on Windows version 6.1.7600.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Wang, L., Zhang, R., Zhang, S.: A Model of Computer Live Forensics Based on Physical Memory Analysis. In: ICISE 2009, Nanjing China (December 2009)
Schuster, A.: Searching for Processes and Threads in Microsoft Windows Memory Dumps. In: Proceedings of the 2006 Digital Forensic Research Workshop, DFRWS (2006)
Burdach, M.: An Introduction to Windows Memory Forensic[OL] (July 2005), http://forensic.seccure.net/pdf/introduction_to_windows_memory_forensic.pdf
Burdachz, M.: Digital Forensics of the Physical Memory [OL] (March 2005), http://forensic.seccure.net/pdf/mburdach_digital_forensics_of_physical_memory.pdf
Walters, A., Petronni Jr., N.L.: Volatools: Integrating volatile Memory Forensics into the Digital Investigation Process. In: Black Hat DC (2007)
Volatile Systems: The Volatility Framework: Volatile memory artifact extraction utility framework (accessed, June 2009), https://www.volatilesystems.com/default/volatility/
Andreas, S.: Pool allocations as an information source in windows memory forensics. In: Oliver, G., Dirk, S., Sandra, F., Hardo, H., Detlef, G., Jens, N. (eds.) IT-incident management & IT-forensics-IMF 2006, October 18. Lecture notes in informatics, vol. P-97, pp. 104–115 (2006b)
Zhang, R., Wang, L., Zhang, S.: Windows Memory Analysis Based on KPCR. In: Fifth International Conference on Information Assurance and Security, IAS 2009, vol. 2, pp. 677–680 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Wang, L., Xu, L., Zhang, S. (2011). Network Connections Information Extraction of 64-Bit Windows 7 Memory Images. In: Lai, X., Gu, D., Jin, B., Wang, Y., Li, H. (eds) Forensics in Telecommunications, Information, and Multimedia. e-Forensics 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 56. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23602-0_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-23602-0_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23601-3
Online ISBN: 978-3-642-23602-0
eBook Packages: Computer ScienceComputer Science (R0)