Acquisition of Network Connection Status Information from Physical Memory on Windows Vista Operating System

Lijuan Xu; Lianhai Wang; Lei Zhang; Zhigang Kong

Forensics in Telecommunications, Information, and Multimedia. Third International ICST Conference, e-Forensics 2010, Shanghai, China, November 11-12, 2010, Revised Selected Papers

Research Article

Acquisition of Network Connection Status Information from Physical Memory on Windows Vista Operating System

Download

495 downloads

Cite: BibTeX Plain Text

@INPROCEEDINGS{10.1007/978-3-642-23602-0_11,
    author={Lijuan Xu and Lianhai Wang and Lei Zhang and Zhigang Kong},
    title={Acquisition of Network Connection Status Information from Physical Memory on Windows Vista Operating System},
    proceedings={Forensics in Telecommunications, Information, and Multimedia. Third International ICST Conference, e-Forensics 2010, Shanghai, China, November 11-12, 2010, Revised Selected Papers},
    proceedings_a={E-FORENSICS},
    year={2012},
    month={10},
    keywords={computer forensic memory analysis network connection status information},
    doi={10.1007/978-3-642-23602-0_11}
}

Lijuan Xu
Lianhai Wang
Lei Zhang
Zhigang Kong
Year: 2012
Acquisition of Network Connection Status Information from Physical Memory on Windows Vista Operating System
E-FORENSICS
Springer
DOI: 10.1007/978-3-642-23602-0_11

Lijuan Xu¹^,*, Lianhai Wang¹^,*, Lei Zhang¹^,*, Zhigang Kong¹^,*

1: Shandong Provincial Key Laboratory of Computer Network

*Contact email: xulj@keylab.net, wanglh@keylab.net, zhanglei@keylab.net, kongzhig@keylab.net

Abstract

A method to extract information of network connection status information from physical memory on Windows Vista operating system is proposed. Using this method, a forensic examiner can extract accurately the information of current TCP/IP network connection information, including IDs of processes which established connections, establishing time, local address, local port, remote address, remote port, etc., from a physical memory on Windows Vista operating system. This method is reliable and efficient. It is verified on Windows Vista, Windows Vista SP1, Windows Vista SP2.

Keywords: computer forensic memory analysis network connection status information

Published: 2012-10-10

: http://dx.doi.org/10.1007/978-3-642-23602-0_11

Acquisition of Network Connection Status Information from Physical Memory on Windows Vista Operating System

Abstract

About EAI

Community

Publish with EAI