Forensic analysis of the Windows registry in memory
Brendan Dolan-Gavitt
- Vol. 5
TLDR
The structure of the Windows registry as it is stored in physical memory is described and a compelling attack that modifies the cached version of the registry without altering the on-disk version is described.Abstract:
This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.read more
Citations
More filters
Book ChapterDOI
Digital forensic research: the good, the bad and the unaddressed
TL;DR: This paper examines where the discipline of digital forensics is at this point in time and what has been accomplished in order to critically analyzeWhat has been done well and what ought to be done better.
Journal ArticleDOI
Digital forensic research: current state of the art
TL;DR: This paper reviews the research literature since 2000 and categorizes developments in the field into four major categories and highlights the observations made by previous researchers and summarizes the research directions for the future.
Patent
Methods, media, and systems for detecting an anomalous sequence of function calls
TL;DR: In this article, methods, media, and systems for detecting an anomalous sequence of function calls are provided, which can include compressing a sequence of functions made by the execution of a program using a compression model; and determining the presence of anomalous functions in the sequence of calls based on the extent to which the function call is compressed.
Journal ArticleDOI
A survey of main memory acquisition and analysis techniques for the windows operating system
Stefan Vömel,Felix C. Freiling +1 more
TL;DR: An overview of the prevailing techniques and methods to collect and analyze a computer's memory is given and the characteristics, benefits, and drawbacks are described and opportunities for future research in this evolving field of IT security are outlined.
Journal ArticleDOI
Memory forensics
Andrew Case,Golden G. Richard +1 more
TL;DR: The state-of-the-art in memoryForensics is surveyed, critical analysis of current-generation techniques are provided, important changes in operating systems design that impact memory forensics are described, and important areas for further research are sketched.
References
More filters
Guide to Integrating Forensic Techniques into Incident Response | NIST
TL;DR: In this paper, the authors describe the processes for performing effective forensics activities and provide advice regarding different data sources, including files, operating systems (OS), network traffic, and applications.
Proceedings Article
An architecture for specification-based detection of semantic integrity violations in kernel dynamic data
TL;DR: A novel general architecture for defining and monitoring semantic integrity constraints using a specification language-based approach will enable a new generation of integrity monitors to distinguish valid states from tampering.
Journal ArticleDOI
Searching for processes and threads in Microsoft Windows memory dumps
TL;DR: This article analyzes the in-memory structures which represent processes and threads and develops search patterns which will then be used to scan the whole memory dump for traces of said objects, independent from the aforementioned lists.
Book
Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer)
TL;DR: The premier guide to the Windows kernel now covers Windows Server 2003, Windows XP, and Windows 2000, including 64-bit extensions, and gets the architectural perspectives and insider insights needed to unlock the power of Windows.
Journal ArticleDOI
The Windows Registry as a forensic resource
TL;DR: The Windows Registry contains a wealth of information that can prove to be very valuable to the forensic investigator, but the key to accessing this information is to know where the information exists within not only the file system, but also within the structure of the Registry itself.