• norsk
    • English
  • English 
    • norsk
    • English
  • Login
View Item 
  •   Home
  • Fakultet for informasjonsteknologi og elektroteknikk (IE)
  • Institutt for informasjonssikkerhet og kommunikasjonsteknologi
  • View Item
  •   Home
  • Fakultet for informasjonsteknologi og elektroteknikk (IE)
  • Institutt for informasjonssikkerhet og kommunikasjonsteknologi
  • View Item
JavaScript is disabled for your browser. Some features of this site may not work without it.

Windows 10 Memory Compression in Digital Forensics - Uncovering Digital Evidence in Compressed Swap

Østerud, Aleksander
Master thesis
Thumbnail
View/Open
Østerud (3.082Mb)
URI
http://hdl.handle.net/11250/2626390
Date
2018
Metadata
Show full item record
Collections
  • Institutt for informasjonssikkerhet og kommunikasjonsteknologi [1561]
Abstract
Digital investigators and incident responders often rely on evidence residing in computer memory and page files on hard drives. Artifacts such as browsing history, image thumbnails and shell commands can answer important questions in digital investigations. Windows 10 introduces memory compression, which compresses inactive parts of computer memory, leading to obfuscation of potentially important artifacts. In this thesis, the student proposes principles and investigates methods for decompressing the parts of memory compressed by theWindows 10 operating system. The goal of the thesis is to create a method for decompressing and de-obfuscating potentially important information from compressed data in memory samples and page files, and making it available to the forensics community. Memory compression in digital forensics ofWindows 10 is a previously unsolved problem. Through research and experiments, the student has created a proof-of-concept tool with these capabilites, called ”MemoryDecompression”. The tool is tested on data from two scenarios that involves recovering strings that has been compressed and obfuscated by the memory manager. The results show that strings are in fact being obfuscated through memory compression. The tool was submitted to the Volatility Plugin Contest as a contender, and ended up on 2nd place. This is presented as an indicator of quality and potential value. It also brings attention to the issues of memory compression, and makes the tool available to the forensics community. The results, the impact and the weaknesses of the applied experiments are discussed. Finally, the thesis suggests future work in this subject, which includes further research on Windows memory manager, and further development of MemoryDecompression tool.
Publisher
NTNU

Contact Us | Send Feedback

Privacy policy
DSpace software copyright © 2002-2019  DuraSpace

Service from  Unit
 

 

Browse

ArchiveCommunities & CollectionsBy Issue DateAuthorsTitlesSubjectsDocument TypesJournalsThis CollectionBy Issue DateAuthorsTitlesSubjectsDocument TypesJournals

My Account

Login

Statistics

View Usage Statistics

Contact Us | Send Feedback

Privacy policy
DSpace software copyright © 2002-2019  DuraSpace

Service from  Unit