Windows volatile memory forensics based on correlation analysis

In this paper, we present an integrated memory forensic solution for multiple Windows memory images. By calculation, the method can find out the correlation degree among the processes of volatile memory images and the hidden clues behind the events of computers, which is usually difficult to be obtained and easily ignored by analyzing one single memory image and forensic investigators. In order to test the validity, we performed an experiment based on two hosts' memory image which contains criminal incidents. According to the experimental result, we find that the event chains reconstructed by our method are similar to the actual actions in the criminal scene. Investigators can review the digital crime scenario which is contained in the data set by analyzing the experimental results. This paper is aimed at finding the valid actions with illegal attempt and making the memory analysis not to be utterly dependent on the operating system and relevant experts. © 2014 ACADEMY PUBLISHER.