Windows hibernation and memory forensics

<p>ABSTRACT
The purpose of this capstone project was to research the hibernation file, its role in memory forensics and to explore current technology, techniques and concepts for analysis. This study includes an in-depth look at the Windows hibernation feature, file format, potential evidence saved to the file and its impacts in digital forensic investigations. This research was performed to demonstrate the importance of the hibernation file and to generate awareness for this forensic artifact. The research questions presented were designed to identify the properties of Windows hibernation and its significance in digital forensics. Additionally, these research questions were aimed at identifying the important concepts analysts should understand in selecting forensic software and in hibernation analysis. Through the literature review process, the hibernation file was identified as an essential part of digital forensics which provides analysts with snapshots of system memory from various points in the past. This data includes web, email and chat sessions in addition to running processes, login credentials, encryption keys, program data and much more. Beyond forensics, the hibernation file is useful in the fields of data recovery and incident response. A review of current hibernation file publications revealed incomplete and conflicting works culminating in the acknowledgment that more research is needed in order to close these research gaps. More awareness for hibernation forensics through its inclusion in future published works and in computer forensic educational courses is recommended. These inclusions will assist to arm practitioners with the ability to accurately utilize the hibernation file in order to obtain the highest quality forensic evidence. Keywords: Cybersecurity, hiberfil.sys, hybrid sleep, malware, slack space, Albert Orbinati.

Identiferoai:union.ndltd.org:PROQUEST/oai:pqdtoai.proquest.com:1586690
Date30 April 2015
CreatorsAyers, Amy L.
PublisherUtica College
Source SetsProQuest.com
LanguageEnglish
Detected LanguageEnglish
Typethesis

Page generated in 0.0023 seconds