| Article ID | Journal | Published Year | Pages | File Type |
|---|---|---|---|---|
| 456540 | Digital Investigation | 2008 | 6 Pages |
Abstract
In this paper we describe a method for recovering files mapped in memory and to link mapped-file information process data. This information is forensically interesting, because it helps determine the origin and usage of the file and because it reduces the amount of unidentified data in a memory dump. To find mapped-file content, we apply several different techniques. Together, these techniques can identify approximately 25% of test memory dumps as being part of a memory-mapped file.
Keywords
Related Topics
Physical Sciences and Engineering
Computer Science
Computer Networks and Communications
Authors
R.B. van Baar, W. Alink, A.R. van Ballegooij,