[1]Vomel S,Freiling F C.A Survey of Main Memory Acquisition and Analysis Techniques for the Windows Operating System[J].Digital Investigation,2011,8(1):322.
[2]Computer Security Institute.14th Annual CSI Computer Crime and Security Survey[EB/OL].(20091205).http://www.personal.utulsa.edu/~jameschildress/cs5493/CSISurvey/CSISurvey2009.pdf.
[3]DFRWS.DFRWS 2005 Forensics Challenge[EB/OL].(20050514).http://www.dfrws.org/2005/challenge.
[4]潘爱民.Windows内核原理与实现[M].北京:电子工业出版社,2010.
[5]Kruse W G,Heiser J G.Computer Forensics:Incident Response Essentials[M].[S.l.]:AddisonWesley Professional,2001.
[6]孙波,孙玉芳,张相锋,等.电子数据取证研究概述[J].计算机科学,2005,32(2):24.
[7]National Institute of Justice.Electronic Crime Scene Investigation A Guide for First Responders[EB/OL].(20010723).http://www.ncjrs.org/pdffiles1/nij/187736.pdf.
[8]Reith M,Carr C,Gunsch G.An Examination of Digital Forensic Models[J].International Journal of Digital Evidence,2002,1(3):35.
[9]Carrier B,Spafford E H.Getting Physical with the Investigative Process[J].International Journal of Digital Evidence,2003,2(2):24.
[10]ACPO.Association of Chief Police Officers[EB/OL].(20110612).http://www.acpo.police.uk/.
[11]IOCE.International Organization for Cooperation in Evaluation[EB/OL].(20091110).http://www.ioce.net/index.php.
[12]IACIS.International Association of Computer Investigation Specialist[EB/OL].(20100928).http://www.iacis.com/.
[13]Baryamureeba V,Tushabe F.The Enhanced Digital Investigation Process Model[C]// Proc.of the 4th Digital Forensic Research Workshop.[S.l.]:IEEE Press,2004.
[14]Carrier B D,Grand J.A Hardwarebased Memory Acquisition Procedure for Digital Investigations[J].Digital Investigation,2004,1(1):5060.
[15]Petroni N L,Fraser T,Molina J et al.Copilot——A Coprocessorbased Kernel Runtime Integrity Monitor[C]//Proc.of the 13th USENIX Security Symposium.New York,USA:[s.n.],2004.
[16]BBN Technologies,Fred:Forensic Ram Extraction Device[EB/OL].(20060109).http://www.ir.bbn.com/vkawadia/.
[17]Hulton D.Cardbus Busmastering:Owning the Laptop[C]//Proc. of ShmooCon’06.Columbia,USA:[s.n.],2006.
[18]Smith J E,Nair R.The Architecture of Virtual Machines[J].Journal of Computer,2005,38(5):3238.
[19]Halderman J A,Schoen S D,Heninger N,et al.Lest We Remember:Coldboot Attacks on Encryption Keys[J].Communications of the ACM,2009,52(5):9198.
[20]Garner G M.Forensic Acquisition Utilities[EB/OL].(20090720).http://gmgsystemsinc.com/fau/.
[21]Vidstrom A.Pmdump[EB/OL].(20020617).http://ntsecurity.nu/toolbox/pmdump/.
[22]Klein T,Process Dumper[EB/OL].(20061029).http://www.trapkit.de/research/forensic/pd/index.html.
[23]ManTech CSI,Inc..Memory DD[EB/OL].(20090314).http://sourceforge.net/projects/mdd/files/.
[24]Windows Memory Toolkit.MoonSols[EB/OL].(20100922).http://moonsols.com/product.
[25]Mandiant.Memoryze[EB/OL].(20100913).http://www.mandiant.com/products/free_software/memoryze/.
[26]Chris D,Kimberley B.PANIC! UNIX System Crash Dump Analysis Handbook[M].[S.l.]:Pearson Education,1995.
[27]Microsoft Corporation.Kb254649overview of Memory Dump File Options for Windows Vista,Windows Server 2008 R2,Windows Server 2008,Windows Server 2003,Windows XP,and Windows2000[EB/OL].(20100715).http://support.microsoft.com/?scid=kb3Benus3B 254649&x=13&y=5.
[28]Microsoft Corporation.Kb244139windows Feature Lets You Generate a memory Dump File by Using The Keyboard,Crash Dump File Generation[EB/OL].(20100630).http://support.microsoft.com/?20scid=kb3Benus3B244139&x=&y=9.
[29]Libster E,Kornblum J D.A Proposal for An Integrated Memory Acquisition Mechanism[J].ACM SIGOPS Operating Systems Review,2008,42(3):1420.
[30]Schatz B.Bodysnatcher:Towards Reliable Volatile Memory Acquisition by Software[J].Digital Investigation,2007,4(9):126134.
[31]Schatz B.Recent Developments in Volatile Memory Forensics[EB/OL].(20071218).http://www.schatzforensic.com.au/presentations/BSchatzCERTCSD2007.pdf.
[32]Inoue H,Adelstein F,Joyce R A.Visualization in Testing a volatile Memory Forensic Tool[J].Digital Investigation,2011,8(1):4251.
[33]Vomel S,Freiling F C.Correctness,Atomicity,and Integrity:Defining Criteria for Forensicallysound Memory Acquisition[J].Digital Investigation,2012,9(2):125137.
[34]Burdach M.An Introduction to Windows memory forensic[EB/OL].(20050709).http://forensic.seccure.net.
[35]Hargreaves C,Chivers H.Recovery of Encryption Keys from Memory Using a Linear Scan[C]//Proc.of the 3rd International Conference on Availability,Reliability and Security.Barcelona,Spain:[s.n.],2008:13691376.
[36]Schuster A.Searching for Processes and Threads in Microsoft Windows Memory Dumps[J].Digital Investigation,2006,3(1):1016.
[37]Bolieau A.Bioskbsnarf [EB/OL].(20080410).http://www.storm.net.nz/static/files/bioskbsnarf.
[38]Anon.Defeating Whole Disk Encryption Part 1[EB/OL].(20070326).http://breachinv.blogspot.com/2007/05/defeatingwholediskencryptionpart1.html.
[39]Schuster A.Pool Allocations as an Information Source in Windows Memory Forensics[C]//Proc.of International Conference on ITincident Management & ITforensics.[S.l.]:IEEE Press,2006.
[40]Bilby D.Low Down and Dirty:Antiforensic Rootkits[C]//Proc.of Ruxcon’06.[S.l.]:IEEE Press,2006.
[41]Zhang Ruichao,Wang Linhai,Zhang Shuhui.Windows Memory Analysis Based on KPCR[C]//Proc.of the 5th International Conference on Information Assurance and Security.[S.l.]:IEEE Press,2009:677680.
[42]Dolan G B.Forensic Analysis of the Windows Registry in Memory[J].Digital Investigation,2008,5(1):2632.
[43]Okolica J,Peterson G L.Windows Operating Systems Agnostic Memory Analysis[J].Digital Investigation,2010,7(1):4856.
[44]Russinovich M E,Solomon D A,Ionescu A.Microsoft Windows Internals[M].[S.l.]:Microsoft Press,2009.
[45]Dolan G B,The Vad Tree:A Processeye View of Physical Memory[J].Digital Investigation,2007,4(1):6264.
[46]van Baar R B,Alink W,van Ballegooij A R.Forensic Memory Analysis:Files Mapped in Memory[J].Digital Investigation,2008,5(S1):5257.
[47]Stevens R M,Casey E.Extracting Windows Command Line Details from Physical Memory[J].Digital Investigation,2010,7(1):5763.
[48]Sols M.DumpIt[EB/OL].(20110718).http://www.moonsols.com/2011/07/18/moonsolsdumpitgoesmainstream/.
[49]Xway.Winhex[EB/OL].(20101015).http://www.xways.net.
[50]Goel A,Feng Wuchang,Maier D,et al.Forensix:A Robust,Highperformance Reconstruction System[C]//Proc.of the 25th IEEE International Conference on Distributed Computing Systems Workshops.[S.l.]:IEEE Press,2005.
[51]Volatile Systems.LLC,Volatility[EB/OL].(20081114).https://www.volatilesystems.com/default/volatility.
编辑顾逸斐 |