Exploratory study on memory analysis of Windows CE device

Author

Shumian Yang ; Lianhai Wang ; Shuhui Zhang

Author_Institution

Shandong Provincial Key Lab. of Comput. Network, Jinan, China

fYear

2013

fDate

9-11 June 2013

Firstpage

470

Lastpage

475

Abstract

In the field of forensic analysis, Windows CE devices are a real issue for an IT security expert. Memory acquisition and analysis is a weight in Windows CE devices forensic. The paper introduces physical memory acquisition and analysis methods of the different versions in Windows environment and the importance and procedure of memory analysis which is different of Windows CE device. We develop tentatively windows CE device memory analysis tools based on the idea of computer memory analysis and put forward the physical memory analysis method of windows CE device. This paper analyzes the in-memory structures which represent the currently system running processes, threads, mail client username and landed site. The method is verified on Windows Mobile 6.5 operating system and proved reliably and efficiently.

Keywords

digital forensics; mobile computing; operating systems (computers); storage management; IT security expert; Windows CE device; Windows Mobile 6.5 operating system; computer memory analysis; forensic analysis; in-memory structures; landed site; mail client username; memory analysis; physical memory acquisition; physical memory analysis methods; Computers; Forensics; Instruction sets; Kernel; Mobile handsets; Random access memory; Windows CE device; digital forensics; memory analysis; mobile forensics;

fLanguage

English

Publisher

ieee

Conference_Titel

Intelligent Control and Information Processing (ICICIP), 2013 Fourth International Conference on

Conference_Location

Beijing

Print_ISBN

978-1-4673-6248-1

Type

conf

DOI

10.1109/ICICIP.2013.6568120

Filename

6568120