Verfügbarkeit: Forensic acquisition and analysis of volatile data in memory

Forensic acquisition and analysis of volatile data in memory: = Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher

Gespeichert in:

Bibliographische Detailangaben
1. Verfasser:	Vömel, Stefan (VerfasserIn)
Format:	Abschlussarbeit Buch
Sprache:	English
Veröffentlicht:	2013
Schlagworte:	Hauptspeicher Computerforensik Hochschulschrift
Online-Zugang:	Volltext Volltext http://d-nb.info/1075475597/34 Inhaltsverzeichnis
Beschreibung:	VIII, 124 Bl. graph. Darst. 21 cm

Internformat

MARC


LEADER	00000nam a2200000 c 4500
001	BV041741155
003	DE-604
005	20151020
007	t
008	140318s2013 gw d\|\|\| m\|\|\| 00\|\|\| eng d
016	7		\|a 1048415945 \|2 DE-101
035			\|a (OCoLC)877881813
035			\|a (DE-599)DNB1048415945
040			\|a DE-604 \|b ger \|e rakddb
041	0		\|a eng
044			\|a gw \|c XA-DE
049			\|a DE-384 \|a DE-473 \|a DE-703 \|a DE-1051 \|a DE-824 \|a DE-29 \|a DE-12 \|a DE-91 \|a DE-19 \|a DE-1049 \|a DE-92 \|a DE-739 \|a DE-898 \|a DE-355 \|a DE-706 \|a DE-20 \|a DE-1102
082	0		\|a 005.8 \|2 22/ger
084			\|a 004 \|2 sdnb
100	1		\|a Vömel, Stefan \|e Verfasser \|0 (DE-588)1048415821 \|4 aut
245	1	0	\|a Forensic acquisition and analysis of volatile data in memory \|b = Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher \|c von Stefan Vömel
246	1	1	\|a Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher
264		1	\|c 2013
300			\|a VIII, 124 Bl. \|b graph. Darst. \|c 21 cm
336			\|b txt \|2 rdacontent
337			\|b n \|2 rdamedia
338			\|b nc \|2 rdacarrier
502			\|a Erlangen-Nürnberg, Univ., Diss., 2013
650	0	7	\|a Hauptspeicher \|0 (DE-588)4159219-0 \|2 gnd \|9 rswk-swf
650	0	7	\|a Computerforensik \|0 (DE-588)4774034-6 \|2 gnd \|9 rswk-swf
655		7	\|0 (DE-588)4113937-9 \|a Hochschulschrift \|2 gnd-content
689	0	0	\|a Hauptspeicher \|0 (DE-588)4159219-0 \|D s
689	0	1	\|a Computerforensik \|0 (DE-588)4774034-6 \|D s
689	0		\|5 DE-604
776	0	8	\|i Erscheint auch als \|n Online-Ausgabe \|o urn:nbn:de:bvb:29-opus4-41117
856	4	1	\|u https://nbn-resolving.org/urn:nbn:de:bvb:29-opus4-41117 \|x Resolvingsystem \|z kostenfrei \|3 Volltext
856	4	1	\|u http://opus4.kobv.de/opus4-fau/frontdoor/index/index/docId/4111 \|x Verlag \|z kostenfrei \|3 Volltext
856	4		\|u http://d-nb.info/1075475597/34 \|x Langzeitarchivierung Nationalbibliothek
856	4	2	\|m DNB Datenaustausch \|q application/pdf \|u http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=027187759&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA \|3 Inhaltsverzeichnis
912			\|a ebook
999			\|a oai:aleph.bib-bvb.de:BVB01-027187759

Datensatz im Suchindex

_version_	1804152033136082944
adam_text	CONTENTS 1 INTRODUCTION: ON TRADITIONAL AND NOVEL APPROACHES IN COMPUTER FORENSICS 1 1.1 EVOLUTION OF FORENSIC INVESTIGATIONS 1 1.1.1 TRADITIONAL INVESTIGATION APPROACHES 1 1.1.2 FROM PERSISTENT DATA-CENTRIC APPROACHES TO MEMORY-BASED IN VESTIGATIONS 3 1.2 CONTRIBUTIONS OF THIS THESIS 4 1.2.1 ILLUSTRATION AND STRUCTURING OF THE RESEARCH AREA 4 1.2.2 FBRMALIZATION OF CRITERIA FOR SOUND MEMORY IMAGING 5 1.2.3 EVALUATION OF FORENSIC MEMORY ACQUISITION SOFTWARE 5 1.2.4 FACILITATION OF THE MEMORY ANALYSIS PROCESS FOR LESS EXPERI ENCED INVESTIGATORS 5 1.3 OUTLINE OF THE THESIS 6 1.4 LIST OF PUBLICATIONS 7 2 BACKGROUND INFORMATION 9 2.1 MEMORY ADMINISTRATION PROCESS 9 2.1.1 MEMORY ADDRESS SPACE LAYOUT 10 2.1.2 VIRTUAL-TO-PHYSICAL ADDRESS TRANSLATION PROCESS 10 2.1.3 PAGING 12 2.2 APPROACHES AND TECHNIQUES FOR FORENSIC MEMORY ACQUISITION 13 2.2.1 MEMORY ACQUISITION USING A DEDICATED HARDWARE CARD 14 2.2.2 MEMORY ACQUISITION VIA A SPECIAL HARDWARE BUS 15 2.2.3 MEMORY ACQUISITION WITH THE HELP OF VIRTUALIZATION 16 2.2.4 MEMORY ACQUISITION USING SOFTWARE CRASH DUMPS 17 2.2.5 MEMORY ACQUISITION WITH THE HELP OF SOFTWARE IMAGERS 18 2.2.6 MEMORY ACQUISITION VIA OPERATING SYSTEM INJECTION OR ADAPTION . 19 2.2.7 MEMORY ACQUISITION VIA COLD BOOTING 20 HTTP://D-NB.INFO/1048415945 CONTENTS 2.2.8 MEMORY ACQUISITION USING THE HIBERNATION FILE 21 2.3 CATEGORIZATION OF FORENSIC MEMORY ACQUISITION APPROACHES 21 2.4 SUMMARY 23 3 CRITERIA FOR SOUND MEMORY ACQUISITION 24 3.1 OVERVIEW OF EXISTING MEMORY ACQUISITION MODELS 25 3.2 BACKGROUND ON DISTRIBUTED SYSTEMS 25 3.2.1 CHARACTERISTICS OF DISTRIBUTED SYSTEMS 26 3.2.2 CONSISTENT AND INCONSISTENT CUTS 27 3.3 AN EVALUATION MODEL FOR FORENSIC IMAGES OF PHYSICAL MEMORY 29 3.3.1 EVENTS AND CAUSALITY 29 3.3.2 MEMORY SNAPSHOTS 30 3.3.3 CORRECTNESS OF A SNAPSHOT 33 3.3.4 ATOMICITY OF A SNAPSHOT 35 3.3.5 INTEGRITY OF A SNAPSHOT 36 3.4 DISCUSSION OF FORENSIC SOUNDNESS 38 3.5 INTEGRATION OF EXISTING CONCEPTS INTO THE MODEL 39 3.6 CRITICAL PERCEPTION OF CURRENT TECHNOLOGIES 41 3.7 SUMMARY 42 4 AN EVALUATION PLATFORM FOR FORENSIC MEMORY ACQUISITION SOFTWARE 44 4.1 BACKGROUND INFORMATION 45 4.1.1 EXISTING WORK 45 4.1.2 FORENSIC MEMORY IMAGING ON MICROSOFT WINDOWS OPERATING SYSTEMS 46 4.2 MEASUREMENT METHODOLOGY AND PLATFORM ARCHITECTURE 48 4.2.1 PLATFORM ARCHITECTURE 48 4.2.2 MEASURING FACTORS FOR SOUND MEMORY IMAGING 51 4.3 EVALUATION 55 4.3.1 EVALUATION METHODOLOGY 55 4.3.2 RESULTS 57 II CONTENTS 4.4 DISCUSSION 62 4.4.1 BLACK-BOX VS. WHITE-BOX TESTING 62 4.4.2 LIMITATIONS OF THE PLATFORM 63 4.4.3 OPERATIONAL CAPABILITIES OF MEMORY ACQUISITION SOFTWARE 64 4.5 FURTHER DEVELOPMENT AND EVALUATION POSSIBILITIES 64 4.6 SUMMARY 65 5 FORENSIC MEMORY ANALYSIS 67 5.1 APPROACHES FOR EXTRACTING AND ANALYZING FORENSIC ARTIFACTS 68 5.1.1 PROCESS ANALYSIS 68 5.1.2 CRYPTOGRAPHIC KEY RECOVERY 73 5.1.3 SYSTEM REGISTRY ANALYSIS 75 5.1.4 NETWORK ANALYSIS 77 5.1.5 FILE ANALYSIS 80 5.1.6 SYSTEM STATE- AND APPLICATION-SPECIFIC ANALYSIS 82 5.2 FRAMEWORK-BASED MEMORY ANALYSIS 85 5.3 SUMMARY 86 6 USING MEMORY FORENSICS TO DISCOVER ROOTKIT INFECTIONS 87 6.1 BACKGROUND INFORMATION 88 6.1.1 ROOTKITS AND ROOTKIT CLASSES 88 6.1.2 COMMON ROOTKIT STRATEGIES AND TECHNIQUES 89 6.2 FINDING TRACES OF SYSTEM INFECTIONS WITH RKFINDER 90 6.2.1 FUNCTIONALITY AND EXTENSION OF DFF 91 6.2.2 RKFINDER S MODE OF OPERATION 93 6.3 EVALUATION AND DISCUSSION OF THE DETECTION PERFORMANCE 96 6.3.1 ANALYSIS RESULTS 97 6.4 DISCUSSION 99 6.4.1 WEAKNESSES AND LIMITATIONS 99 6.4.2 FARTHER DEVELOPMENT AND EVALUATION POSSIBILITIES 100 6.5 SUMMARY 100 III CONTENTS 7 SYNOPSIS AND CONCLUSION 102 7.1 OPPORTUNITIES FOR FUTURE RESEARCH 103 7.1.1 ANTI AND ANTI-ANTI MEMORY FORENSICS 103 7.1.2 MEMORY FORENSICS ON OTHER SYSTEM PLATFORMS 104 7.1.3 VIRTUAL MACHINE INTROSPECTION 104 7.1.4 DEVELOPMENT OF ADEQUATE DATA AGGREGATION, PRESENTATION, AND VISUALIZATION CONCEPTS 105 BIBLIOGRAPHY 106 IV
any_adam_object	1
author	Vömel, Stefan
author_GND	(DE-588)1048415821
author_facet	Vömel, Stefan
author_role	aut
author_sort	Vömel, Stefan
author_variant	s v sv
building	Verbundindex
bvnumber	BV041741155
collection	ebook
ctrlnum	(OCoLC)877881813 (DE-599)DNB1048415945
dewey-full	005.8
dewey-hundreds	000 - Computer science, information, general works
dewey-ones	005 - Computer programming, programs, data, security
dewey-raw	005.8
dewey-search	005.8
dewey-sort	15.8
dewey-tens	000 - Computer science, information, general works
discipline	Informatik
format	Thesis Book
fullrecord	<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>02139nam a2200457 c 4500</leader><controlfield tag="001">BV041741155</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">20151020 </controlfield><controlfield tag="007">t</controlfield><controlfield tag="008">140318s2013 gw d\|\|\| m\|\|\| 00\|\|\| eng d</controlfield><datafield tag="016" ind1="7" ind2=" "><subfield code="a">1048415945</subfield><subfield code="2">DE-101</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)877881813</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)DNB1048415945</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">rakddb</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="044" ind1=" " ind2=" "><subfield code="a">gw</subfield><subfield code="c">XA-DE</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-384</subfield><subfield code="a">DE-473</subfield><subfield code="a">DE-703</subfield><subfield code="a">DE-1051</subfield><subfield code="a">DE-824</subfield><subfield code="a">DE-29</subfield><subfield code="a">DE-12</subfield><subfield code="a">DE-91</subfield><subfield code="a">DE-19</subfield><subfield code="a">DE-1049</subfield><subfield code="a">DE-92</subfield><subfield code="a">DE-739</subfield><subfield code="a">DE-898</subfield><subfield code="a">DE-355</subfield><subfield code="a">DE-706</subfield><subfield code="a">DE-20</subfield><subfield code="a">DE-1102</subfield></datafield><datafield tag="082" ind1="0" ind2=" "><subfield code="a">005.8</subfield><subfield code="2">22/ger</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">004</subfield><subfield code="2">sdnb</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Vömel, Stefan</subfield><subfield code="e">Verfasser</subfield><subfield code="0">(DE-588)1048415821</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">Forensic acquisition and analysis of volatile data in memory</subfield><subfield code="b">= Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher</subfield><subfield code="c">von Stefan Vömel</subfield></datafield><datafield tag="246" ind1="1" ind2="1"><subfield code="a">Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="c">2013</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">VIII, 124 Bl.</subfield><subfield code="b">graph. Darst.</subfield><subfield code="c">21 cm</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="502" ind1=" " ind2=" "><subfield code="a">Erlangen-Nürnberg, Univ., Diss., 2013</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Hauptspeicher</subfield><subfield code="0">(DE-588)4159219-0</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Computerforensik</subfield><subfield code="0">(DE-588)4774034-6</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="655" ind1=" " ind2="7"><subfield code="0">(DE-588)4113937-9</subfield><subfield code="a">Hochschulschrift</subfield><subfield code="2">gnd-content</subfield></datafield><datafield tag="689" ind1="0" ind2="0"><subfield code="a">Hauptspeicher</subfield><subfield code="0">(DE-588)4159219-0</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2="1"><subfield code="a">Computerforensik</subfield><subfield code="0">(DE-588)4774034-6</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2=" "><subfield code="5">DE-604</subfield></datafield><datafield tag="776" ind1="0" ind2="8"><subfield code="i">Erscheint auch als</subfield><subfield code="n">Online-Ausgabe</subfield><subfield code="o">urn:nbn:de:bvb:29-opus4-41117</subfield></datafield><datafield tag="856" ind1="4" ind2="1"><subfield code="u">https://nbn-resolving.org/urn:nbn:de:bvb:29-opus4-41117</subfield><subfield code="x">Resolvingsystem</subfield><subfield code="z">kostenfrei</subfield><subfield code="3">Volltext</subfield></datafield><datafield tag="856" ind1="4" ind2="1"><subfield code="u">http://opus4.kobv.de/opus4-fau/frontdoor/index/index/docId/4111</subfield><subfield code="x">Verlag</subfield><subfield code="z">kostenfrei</subfield><subfield code="3">Volltext</subfield></datafield><datafield tag="856" ind1="4" ind2=" "><subfield code="u">http://d-nb.info/1075475597/34</subfield><subfield code="x">Langzeitarchivierung Nationalbibliothek</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="m">DNB Datenaustausch</subfield><subfield code="q">application/pdf</subfield><subfield code="u">http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=027187759&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA</subfield><subfield code="3">Inhaltsverzeichnis</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">ebook</subfield></datafield><datafield tag="999" ind1=" " ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-027187759</subfield></datafield></record></collection>
genre	(DE-588)4113937-9 Hochschulschrift gnd-content
genre_facet	Hochschulschrift
id	DE-604.BV041741155
illustrated	Illustrated
indexdate	2024-07-10T01:04:16Z
institution	BVB
language	English
oai_aleph_id	oai:aleph.bib-bvb.de:BVB01-027187759
oclc_num	877881813
open_access_boolean	1
owner	DE-384 DE-473 DE-BY-UBG DE-703 DE-1051 DE-824 DE-29 DE-12 DE-91 DE-BY-TUM DE-19 DE-BY-UBM DE-1049 DE-92 DE-739 DE-898 DE-BY-UBR DE-355 DE-BY-UBR DE-706 DE-20 DE-1102
owner_facet	DE-384 DE-473 DE-BY-UBG DE-703 DE-1051 DE-824 DE-29 DE-12 DE-91 DE-BY-TUM DE-19 DE-BY-UBM DE-1049 DE-92 DE-739 DE-898 DE-BY-UBR DE-355 DE-BY-UBR DE-706 DE-20 DE-1102
physical	VIII, 124 Bl. graph. Darst. 21 cm
psigel	ebook
publishDate	2013
publishDateSearch	2013
publishDateSort	2013
record_format	marc
spelling	Vömel, Stefan Verfasser (DE-588)1048415821 aut Forensic acquisition and analysis of volatile data in memory = Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher von Stefan Vömel Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher 2013 VIII, 124 Bl. graph. Darst. 21 cm txt rdacontent n rdamedia nc rdacarrier Erlangen-Nürnberg, Univ., Diss., 2013 Hauptspeicher (DE-588)4159219-0 gnd rswk-swf Computerforensik (DE-588)4774034-6 gnd rswk-swf (DE-588)4113937-9 Hochschulschrift gnd-content Hauptspeicher (DE-588)4159219-0 s Computerforensik (DE-588)4774034-6 s DE-604 Erscheint auch als Online-Ausgabe urn:nbn:de:bvb:29-opus4-41117 https://nbn-resolving.org/urn:nbn:de:bvb:29-opus4-41117 Resolvingsystem kostenfrei Volltext http://opus4.kobv.de/opus4-fau/frontdoor/index/index/docId/4111 Verlag kostenfrei Volltext http://d-nb.info/1075475597/34 Langzeitarchivierung Nationalbibliothek DNB Datenaustausch application/pdf http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=027187759&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA Inhaltsverzeichnis
spellingShingle	Vömel, Stefan Forensic acquisition and analysis of volatile data in memory = Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher Hauptspeicher (DE-588)4159219-0 gnd Computerforensik (DE-588)4774034-6 gnd
subject_GND	(DE-588)4159219-0 (DE-588)4774034-6 (DE-588)4113937-9
title	Forensic acquisition and analysis of volatile data in memory = Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher
title_alt	Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher
title_auth	Forensic acquisition and analysis of volatile data in memory = Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher
title_exact_search	Forensic acquisition and analysis of volatile data in memory = Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher
title_full	Forensic acquisition and analysis of volatile data in memory = Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher von Stefan Vömel
title_fullStr	Forensic acquisition and analysis of volatile data in memory = Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher von Stefan Vömel
title_full_unstemmed	Forensic acquisition and analysis of volatile data in memory = Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher von Stefan Vömel
title_short	Forensic acquisition and analysis of volatile data in memory
title_sort	forensic acquisition and analysis of volatile data in memory forensische sicherung und auswertung fluchtiger daten im hauptspeicher
title_sub	= Forensische Sicherung und Auswertung flüchtiger Daten im Hauptspeicher
topic	Hauptspeicher (DE-588)4159219-0 gnd Computerforensik (DE-588)4774034-6 gnd
topic_facet	Hauptspeicher Computerforensik Hochschulschrift
url	https://nbn-resolving.org/urn:nbn:de:bvb:29-opus4-41117 http://opus4.kobv.de/opus4-fau/frontdoor/index/index/docId/4111 http://d-nb.info/1075475597/34 http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=027187759&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA
work_keys_str_mv	AT vomelstefan forensicacquisitionandanalysisofvolatiledatainmemoryforensischesicherungundauswertungfluchtigerdatenimhauptspeicher AT vomelstefan forensischesicherungundauswertungfluchtigerdatenimhauptspeicher

Verfügbarkeit

Es ist kein Print-Exemplar vorhanden.

Fernleihe Bestellen Achtung: Nicht im THWS-Bestand! Volltext öffnen

MARC

Datensatz im Suchindex

Es ist kein Print-Exemplar vorhanden.

Ähnliche Einträge