RETRACTED: "A Probability Model of Covering Key Trace during Capturing Volatile Memory" Procedia Engineering Volume 29, 2012, Pages 1253–1258

Lianhai Wang, Hengjian Li, Zhen Su
2012 Procedia Engineering  
In this paper, we give a clear description of the running memory acquiring tool on a target system, especially for possibility covering the key trace during capturing volatile memory. Some key trace of offender may still in the running memory after the scene of a crime and have critical role in court and security applications. However, some key trace, such as rootkits in the memory, memory occupied by their corresponding process will probably be covered/ reallocated during the procedure of
more » ... ning evidence of the crime. Therefore, the covered ratio (lost data) should be evaluated and investigated after the forensic tools run. Firstly, we model the distribution of key trace exacted in the unallocated memory space, then form a formula to evaluate the coverage rate of the key trace in which the corresponding process has just been killed. At last, we give some cases to analyze the evidence coverage ratio which can be estimated by the new allocated memory space.
doi:10.1016/j.proeng.2012.01.122 fatcat:grqpfvyszva7vnumc6xjcy7q2a