The Study of Text Evidence in Memory

被引：2

作者：

Jiang, Min ^{[1
]}

Chen, Long ^{[1
]}

Li, Yahui ^{[1
]}

机构：

[1] Chongqing Univ Posts & Telecommun, Inst Comp Forens, Chongqing 400065, Peoples R China

来源：

MECHATRONICS ENGINEERING, COMPUTING AND INFORMATION TECHNOLOGY | 2014年 / 556-562卷

关键词：

Memory forensics; text file; User behavior; data recovery;

D O I：

10.4028/www.scientific.net/AMM.556-562.6266

中图分类号：

TM [电工技术]; TN [电子技术、通信技术];

学科分类号：

0808 ; 0809 ;

摘要：

The text message which has been viewed and edited is stored in physical memory. In this paper, we take the notepad process as sample, designs a recovery scheme for user's viewing-data and judge whether the document was edited, First this scheme extracts the data of all notepad's process in memory with the member information of the process's EPROCESS structure, and then, matches the data with the target string, thus, it can recovery the viewing-data of a different order. Experiments show that this scheme can recovery the text message when the user browsing in the last minutes and analyze the behavior of the user.

引用

页码：6266 / 6269

页数：4

共 8 条

[1] Chen L., 2013, J CHONGQING U POSTS, V1, P122
[2] Chen Long, 2013, Journal of Chongqing University of Posts and Telecommunication (Natural Science Edition), V25, P854, DOI 10.3979/j.issn.1673-825X.2013.06.027
[3] Funminiyi Akanfe, 2011, STUDY APPL LEVEL INF, P27
[4] Memory Forensics for QQ from a Live System
Gao, Yuhang
Cao, Tianjie
[J]. JOURNAL OF COMPUTERS, 2010, 5 (04) : 541 - 548
[5] Gavitt Dolan, 2008, DIG FOR RES WORKSH B, P26
[6] Okolica J, 2010, DIG FOR RES WORKSH P, P48
[7] Okolica J., 2011, DIGIT INVEST, V9, P118
[8] Richard M., 2010, DIGIT INVEST, V7, P57

← 1 →