DocumentCode :
3716609
Title :
Tracking File´s Metadata from Computer Memory Analysis
Author :
Khairul Akram Zainol Ariffin;Ahmad Kamil Mahmood;Jafreezal Jaafar;Solahuddin Shamsuddin
Author_Institution :
Digital Forensics Dept., CyberSecurity Malaysia, Seri Kembangan, Malaysia
fYear :
2015
Firstpage :
975
Lastpage :
980
Abstract :
With the advance in technology, the computer storage will become cheaper for the larger sizes. Previously, it allows the user to store more data at a lower cost. In context of digital forensic investigation, the traditional approach such as analysis on the hard disk will become inefficient in handling the huge data that is stored within it. The research on retrieving the open files from computer memory only focused on tracking the Virtual Address Descriptor (VAD) and Object Table. Thus, only the active object´s open files can be retrieved from the computer memory. The aim of this paper is to present algorithms to track the metadata of file from the well-known file system for Windows system such as File Allocation Table (FAT) and New Technologies File System (NTFS). The algorithms encompass the signature search to retrieve the boot sector and then capture the metadata about the file from the computer memory. The algorithm will be independent of address translation algorithm and able to capture the information from various file´s extension, not limited to .EXE and .DLL.
Keywords :
"Computers","Indexes","Hard disks","File systems","Digital forensics","Clustering algorithms","Algorithm design and analysis"
Publisher :
ieee
Conference_Titel :
Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing (CIT/IUCC/DASC/PICOM), 2015 IEEE International Conference on
Type :
conf
DOI :
10.1109/CIT/IUCC/DASC/PICOM.2015.147
Filename :
7363188
Link To Document :
بازگشت