Tracking file's metadata from computer memory analysis

Khairul Akram Zainol Ariffin , Jafreezal Jaafar, Ahmad Kamil Mahmood, Solahuddin Shamsuddin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

With the advance in technology, the computer storage will become cheaper for the larger sizes. Previously, it allows the user to store more data at a lower cost. In context of digital forensic investigation, the traditional approach such as analysis on the hard disk will become inefficient in handling the huge data that is stored within it. The research on retrieving the open flies from computer memory only focused on tracking the Virtual Address Descriptor (VAD) and Object Table. Thus, only the active object's open flies can be retrieved from the computer memory. The aim of this paper is to present algorithms to track the metadata of file from the well-known file system for Windows system such as File Allocation Table (FAT) and New Technologies File System (NTFS). The algorithms encompass the signature search to retrieve the boot sector and then capture the metadata about the file from the computer memory The algorithm will be independent of address translation algorithm and able to capture the information from various file's extension, not limited to.EXE and.DLL.

Original languageEnglish
Title of host publicationProceedings - 15th IEEE International Conference on Computer and Information Technology, CIT 2015, 14th IEEE International Conference on Ubiquitous Computing and Communications, IUCC 2015, 13th IEEE International Conference on Dependable, Autonomic and Secure Computing, DASC 2015 and 13th IEEE International Conference on Pervasive Intelligence and Computing, PICom 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages975-980
Number of pages6
ISBN (Electronic)9781509001545
DOIs
Publication statusPublished - 22 Dec 2015
Externally publishedYes
Event15th IEEE International Conference on Computer and Information Technology, CIT 2015, 14th IEEE International Conference on Ubiquitous Computing and Communications, IUCC 2015, 13th IEEE International Conference on Dependable, Autonomic and Secure Computing, DASC 2015 and 13th IEEE International Conference on Pervasive Intelligence and Computing, PICom 2015 - Liverpool, United Kingdom
Duration: 26 Oct 201528 Oct 2015

Other

Other15th IEEE International Conference on Computer and Information Technology, CIT 2015, 14th IEEE International Conference on Ubiquitous Computing and Communications, IUCC 2015, 13th IEEE International Conference on Dependable, Autonomic and Secure Computing, DASC 2015 and 13th IEEE International Conference on Pervasive Intelligence and Computing, PICom 2015
CountryUnited Kingdom
CityLiverpool
Period26/10/1528/10/15

Fingerprint

Metadata
Data storage equipment
Virtual addresses
Hard disk storage
Costs

Keywords

  • Algorithms
  • Digital forensics
  • File systems
  • Information retrieval
  • Memory analysis

ASJC Scopus subject areas

  • Information Systems
  • Artificial Intelligence
  • Computer Networks and Communications

Cite this

Zainol Ariffin , K. A., Jaafar, J., Mahmood, A. K., & Shamsuddin, S. (2015). Tracking file's metadata from computer memory analysis. In Proceedings - 15th IEEE International Conference on Computer and Information Technology, CIT 2015, 14th IEEE International Conference on Ubiquitous Computing and Communications, IUCC 2015, 13th IEEE International Conference on Dependable, Autonomic and Secure Computing, DASC 2015 and 13th IEEE International Conference on Pervasive Intelligence and Computing, PICom 2015 (pp. 975-980). [7363188] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CIT/IUCC/DASC/PICOM.2015.147

Tracking file's metadata from computer memory analysis. / Zainol Ariffin , Khairul Akram; Jaafar, Jafreezal; Mahmood, Ahmad Kamil; Shamsuddin, Solahuddin.

Proceedings - 15th IEEE International Conference on Computer and Information Technology, CIT 2015, 14th IEEE International Conference on Ubiquitous Computing and Communications, IUCC 2015, 13th IEEE International Conference on Dependable, Autonomic and Secure Computing, DASC 2015 and 13th IEEE International Conference on Pervasive Intelligence and Computing, PICom 2015. Institute of Electrical and Electronics Engineers Inc., 2015. p. 975-980 7363188.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Zainol Ariffin , KA, Jaafar, J, Mahmood, AK & Shamsuddin, S 2015, Tracking file's metadata from computer memory analysis. in Proceedings - 15th IEEE International Conference on Computer and Information Technology, CIT 2015, 14th IEEE International Conference on Ubiquitous Computing and Communications, IUCC 2015, 13th IEEE International Conference on Dependable, Autonomic and Secure Computing, DASC 2015 and 13th IEEE International Conference on Pervasive Intelligence and Computing, PICom 2015., 7363188, Institute of Electrical and Electronics Engineers Inc., pp. 975-980, 15th IEEE International Conference on Computer and Information Technology, CIT 2015, 14th IEEE International Conference on Ubiquitous Computing and Communications, IUCC 2015, 13th IEEE International Conference on Dependable, Autonomic and Secure Computing, DASC 2015 and 13th IEEE International Conference on Pervasive Intelligence and Computing, PICom 2015, Liverpool, United Kingdom, 26/10/15. https://doi.org/10.1109/CIT/IUCC/DASC/PICOM.2015.147
Zainol Ariffin  KA, Jaafar J, Mahmood AK, Shamsuddin S. Tracking file's metadata from computer memory analysis. In Proceedings - 15th IEEE International Conference on Computer and Information Technology, CIT 2015, 14th IEEE International Conference on Ubiquitous Computing and Communications, IUCC 2015, 13th IEEE International Conference on Dependable, Autonomic and Secure Computing, DASC 2015 and 13th IEEE International Conference on Pervasive Intelligence and Computing, PICom 2015. Institute of Electrical and Electronics Engineers Inc. 2015. p. 975-980. 7363188 https://doi.org/10.1109/CIT/IUCC/DASC/PICOM.2015.147
Zainol Ariffin , Khairul Akram ; Jaafar, Jafreezal ; Mahmood, Ahmad Kamil ; Shamsuddin, Solahuddin. / Tracking file's metadata from computer memory analysis. Proceedings - 15th IEEE International Conference on Computer and Information Technology, CIT 2015, 14th IEEE International Conference on Ubiquitous Computing and Communications, IUCC 2015, 13th IEEE International Conference on Dependable, Autonomic and Secure Computing, DASC 2015 and 13th IEEE International Conference on Pervasive Intelligence and Computing, PICom 2015. Institute of Electrical and Electronics Engineers Inc., 2015. pp. 975-980
@inproceedings{147dc6c09836432691a62443e9af3e32,
title = "Tracking file's metadata from computer memory analysis",
abstract = "With the advance in technology, the computer storage will become cheaper for the larger sizes. Previously, it allows the user to store more data at a lower cost. In context of digital forensic investigation, the traditional approach such as analysis on the hard disk will become inefficient in handling the huge data that is stored within it. The research on retrieving the open flies from computer memory only focused on tracking the Virtual Address Descriptor (VAD) and Object Table. Thus, only the active object's open flies can be retrieved from the computer memory. The aim of this paper is to present algorithms to track the metadata of file from the well-known file system for Windows system such as File Allocation Table (FAT) and New Technologies File System (NTFS). The algorithms encompass the signature search to retrieve the boot sector and then capture the metadata about the file from the computer memory The algorithm will be independent of address translation algorithm and able to capture the information from various file's extension, not limited to.EXE and.DLL.",
keywords = "Algorithms, Digital forensics, File systems, Information retrieval, Memory analysis",
author = "{Zainol Ariffin }, {Khairul Akram} and Jafreezal Jaafar and Mahmood, {Ahmad Kamil} and Solahuddin Shamsuddin",
year = "2015",
month = "12",
day = "22",
doi = "10.1109/CIT/IUCC/DASC/PICOM.2015.147",
language = "English",
pages = "975--980",
booktitle = "Proceedings - 15th IEEE International Conference on Computer and Information Technology, CIT 2015, 14th IEEE International Conference on Ubiquitous Computing and Communications, IUCC 2015, 13th IEEE International Conference on Dependable, Autonomic and Secure Computing, DASC 2015 and 13th IEEE International Conference on Pervasive Intelligence and Computing, PICom 2015",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - Tracking file's metadata from computer memory analysis

AU - Zainol Ariffin , Khairul Akram

AU - Jaafar, Jafreezal

AU - Mahmood, Ahmad Kamil

AU - Shamsuddin, Solahuddin

PY - 2015/12/22

Y1 - 2015/12/22

N2 - With the advance in technology, the computer storage will become cheaper for the larger sizes. Previously, it allows the user to store more data at a lower cost. In context of digital forensic investigation, the traditional approach such as analysis on the hard disk will become inefficient in handling the huge data that is stored within it. The research on retrieving the open flies from computer memory only focused on tracking the Virtual Address Descriptor (VAD) and Object Table. Thus, only the active object's open flies can be retrieved from the computer memory. The aim of this paper is to present algorithms to track the metadata of file from the well-known file system for Windows system such as File Allocation Table (FAT) and New Technologies File System (NTFS). The algorithms encompass the signature search to retrieve the boot sector and then capture the metadata about the file from the computer memory The algorithm will be independent of address translation algorithm and able to capture the information from various file's extension, not limited to.EXE and.DLL.

AB - With the advance in technology, the computer storage will become cheaper for the larger sizes. Previously, it allows the user to store more data at a lower cost. In context of digital forensic investigation, the traditional approach such as analysis on the hard disk will become inefficient in handling the huge data that is stored within it. The research on retrieving the open flies from computer memory only focused on tracking the Virtual Address Descriptor (VAD) and Object Table. Thus, only the active object's open flies can be retrieved from the computer memory. The aim of this paper is to present algorithms to track the metadata of file from the well-known file system for Windows system such as File Allocation Table (FAT) and New Technologies File System (NTFS). The algorithms encompass the signature search to retrieve the boot sector and then capture the metadata about the file from the computer memory The algorithm will be independent of address translation algorithm and able to capture the information from various file's extension, not limited to.EXE and.DLL.

KW - Algorithms

KW - Digital forensics

KW - File systems

KW - Information retrieval

KW - Memory analysis

UR - http://www.scopus.com/inward/record.url?scp=84964221855&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84964221855&partnerID=8YFLogxK

U2 - 10.1109/CIT/IUCC/DASC/PICOM.2015.147

DO - 10.1109/CIT/IUCC/DASC/PICOM.2015.147

M3 - Conference contribution

SP - 975

EP - 980

BT - Proceedings - 15th IEEE International Conference on Computer and Information Technology, CIT 2015, 14th IEEE International Conference on Ubiquitous Computing and Communications, IUCC 2015, 13th IEEE International Conference on Dependable, Autonomic and Secure Computing, DASC 2015 and 13th IEEE International Conference on Pervasive Intelligence and Computing, PICom 2015

PB - Institute of Electrical and Electronics Engineers Inc.

ER -