Context. For computer forensic investigations, the necessity of unmodified data content is of vital essence. The solution presented in this paper is based on a trusted chain of execution, that ensures that only authorized software can run. In the study, the proposed application operates in an UEFI environment where it has a direct access to physical memory, which can be extracted and stored on a secondary storage medium for further analysis. Objectives. The aim is to perform this task while being sheltered from influence from a potentially contaminated operating system. Methods. By identifying key components and establishing the foundation for a trusted environment where the memory imaging tool can, unhindered, operate and produce a reliable result Results. Three distinct states where trust can be determined has been identified and a method for entering and traversing them is presented. Conclusions. Tools that does not follow the trusted model might be subjected to subversion, thus they might be considered inadequate when performing memory extraction for forensic purposes.
| Identifer | oai:union.ndltd.org:UPSALLA1/oai:DiVA.org:bth-3582 |
| Date | January 2014 |
| Creators | Markanovic, Michel, Persson, Simeon |
| Publisher | Blekinge Tekniska Högskola, Institutionen för kreativa teknologier, Blekinge Tekniska Högskola, Institutionen för kreativa teknologier |
| Source Sets | DiVA Archive at Upsalla University |
| Language | English |
| Detected Language | English |
| Type | Student thesis, info:eu-repo/semantics/bachelorThesis, text |
| Format | application/pdf |
| Rights | info:eu-repo/semantics/openAccess |
Page generated in 0.028 seconds