1 |
B. D. Carrier and J. Grand, "A hardwarebased memory acquisition procedure for digital investigations," Digital Investigation, Vol. 1, No. 1, pp. 50-60, 2004.
DOI
ScienceOn
|
2 |
MemParser, C. Betz, http://memparser. sourceforge.net/
|
3 |
PtFinder, A. Schuster, http://computer. forensikblog.de/files/ptfinder/
|
4 |
Volatility, Volatile Systems, https:// www.volatilesystems.com/default/volat ility
|
5 |
M.E. Russinovich and D.A. Solomon, Windows Internals, 5th Edition, Microsoft Press, June 2009.
|
6 |
S.M. Hejazia, C. Talhia and M. Debbabi, "Extraction of forensically sensitive information from windows physical memory," Digital Investigation, Vol. 6, Supplement 1, pp. S121-S131, September 2009.
DOI
|
7 |
R. Jones, "Safer Live Forensic Acquisition," University of Kent at Canterbury, http://www.cs.kent.ac.uk/pubs/ug/200 7/co620-projects/forensic/report.pdf
|
8 |
E. Kenneally, and C. Brown, "Risk Sensitive Digital Evidence Collection," Digital Investigation, Vol. 2, Issue 2, pp. 101-119, June 2005.
DOI
|
9 |
I. Sutherland, J. Evans, T. Tryfonas, and A. Blyth, "Acquiring Volatile Operating System Data Tools and Techniques," ACM SIGOPS Operating Systems Review, Vol. 42, Issue 3, pp. 65-73, April 2008.
DOI
|
10 |
M. Monty, "Live Forensics on a Windows System: Using Windows Forensic Toolchest," Jun 2006. http://www.foolmoon. net/security
|
11 |
B. Carrier, J. Grand, "A Hardware-based Memory Acquisition Procedure for Digital Investigations," Digital Investigation, Vol. 1, Issue 1, pp. 50-60, February 2004.
DOI
ScienceOn
|
12 |
A. Boileau, "Hit By A Bus: Physical Access Attacks with Firewire.," RUXCON, Sydney, Australia, September 30-October 1, 2006.
|
13 |
Mantech's Memory DD, Mantech, http: //www.mantech.com/
|
14 |
MoonSols Windows Memory Toolkit, MoonSols, http://moonsols.com/component/ jdownloads/view.download/3/2
|
15 |
D. Aumaitre, "A Little Journey inside Windows Memory," Journal in Computer Virology, Vol. 5, No. 2, pp. 105-177, January 2009.
DOI
ScienceOn
|
16 |
Advanced Archive Password Recovery, Elcomsoft, http://www.elcomsoft.com/ archpr.html
|
17 |
M. Burdach. "Finding digital evidence in physical memory," http://forensic.seccure. net/pdf/mburdach physical memory forensics bh06.pdf, 2006.
|
18 |
A. Schuster, "The impact of Microsoft Windows pool allocation strategies on memory forensics," The Proceedings of the Eighth Annual DFRWS Conference, Vol. 5, Supplement 1, pp. S58-S64, September 2008.
|
19 |
S. Lee, A. Savoldi, S. Lee, and J. Lim, "Password Recovery Using an Evidence Collection Tool and Countermeasures," Intelligent Information Hiding and Multimedia Signal Processing, Vol. 2, pp. 97-102, November 2007.
|
20 |
R. Zhang, L. Wang, and S. Zhang, "Windows Memory Analysis Based on KPCR," Proceedings of the 2009 Fifth International Conference on Information Assurance and Security, Vol. 2, pp. 677- 680, August 2009.
|
21 |
A. Schuster, "Searching for processes and threads in Microsoft Windows memory dumps," Digital Investigation, Vol. 3, Supplement 1, pp. 10-16, September 2006.
DOI
|
22 |
B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin, "Robust Signatures for Kernel Data Structures," Proceedings of the 16th ACM conference on Computer and communications security, pp. 566- 577. 2009.
|
23 |
B. Blunden, The Rootkit Arsenal : Escape and Evasion in the Dark Corners of the System, Jones & Bartlett Publishers, May 2009.
|
24 |
ProcessLibrary.com, Uniblue, http://www. processlibrary.com/
|
25 |
FU Rootkit, http://rootkit.com/board_ project_fused.php?did=proj12
|
26 |
H. Carvey, Windows Forensic Analysis DVD Toolkit, Second Edition, Syngress, June 2009
|
27 |
A. Walters, "FATKit: Detecting Malicious Library Injection and Upping the "Anti"", July 2006.
|