Research Article
Acquisition of Network Connection Status Information from Physical Memory on Windows Vista Operating System
418 downloads
@INPROCEEDINGS{10.1007/978-3-642-23602-0_11, author={Lijuan Xu and Lianhai Wang and Lei Zhang and Zhigang Kong}, title={Acquisition of Network Connection Status Information from Physical Memory on Windows Vista Operating System}, proceedings={Forensics in Telecommunications, Information, and Multimedia. Third International ICST Conference, e-Forensics 2010, Shanghai, China, November 11-12, 2010, Revised Selected Papers}, proceedings_a={E-FORENSICS}, year={2012}, month={10}, keywords={computer forensic memory analysis network connection status information}, doi={10.1007/978-3-642-23602-0_11} }- Lijuan Xu
Lianhai Wang
Lei Zhang
Zhigang Kong
Year: 2012
Acquisition of Network Connection Status Information from Physical Memory on Windows Vista Operating System
E-FORENSICS
Springer
DOI: 10.1007/978-3-642-23602-0_11
Abstract
A method to extract information of network connection status information from physical memory on Windows Vista operating system is proposed. Using this method, a forensic examiner can extract accurately the information of current TCP/IP network connection information, including IDs of processes which established connections, establishing time, local address, local port, remote address, remote port, etc., from a physical memory on Windows Vista operating system. This method is reliable and efficient. It is verified on Windows Vista, Windows Vista SP1, Windows Vista SP2.
Copyright © 2010–2024 ICST