Internet Archive Scholar

RETRACTED: "A Probability Model of Covering Key Trace during Capturing Volatile Memory" Procedia Engineering Volume 29, 2012, Pages 1253–1258

Lianhai Wang, Hengjian Li, Zhen Su
2012 Procedia Engineering  

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (434.9 kB)
https://web.archive.org/web/20170924043633/http://publisher-connector.core.ac.uk/resourcesync/data/elsevier/pdf/0df/aHR0cDovL2FwaS5lbHNldmllci5jb20vY29udGVudC9hcnRpY2xlL3BpaS9zMTg3NzcwNTgxMjAwMTMyNA%3D%3D.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL. The file type is application/pdf.

In this paper, we give a clear description of the running memory acquiring tool on a target system, especially for possibility covering the key trace during capturing volatile memory. Some key trace of offender may still in the running memory after the scene of a crime and have critical role in court and security applications. However, some key trace, such as rootkits in the memory, memory occupied by their corresponding process will probably be covered/ reallocated during the procedure of
more » ... ning evidence of the crime. Therefore, the covered ratio (lost data) should be evaluated and investigated after the forensic tools run. Firstly, we model the distribution of key trace exacted in the unallocated memory space, then form a formula to evaluate the coverage rate of the key trace in which the corresponding process has just been killed. At last, we give some cases to analyze the evidence coverage ratio which can be estimated by the new allocated memory space.
doi:10.1016/j.proeng.2012.01.122 fatcat:grqpfvyszva7vnumc6xjcy7q2a
Open Access
Citation

Lianhai Wang, Hengjian Li, Zhen Su. "RETRACTED: "A Probability Model of Covering Key Trace during Capturing Volatile Memory" Procedia Engineering Volume 29, 2012, Pages 1253–1258." Procedia Engineering (2012) 1253-1258