Auflistung nach Schlagwort "NT-Object Manager"
1 - 1 von 1
Treffer pro Seite
Sortieroptionen
- KonferenzbeitragPost-mortem path correlation based on the NT Object Manager in Windows 1x systems(INFORMATIK 2023 - Designing Futures: Zukünfte gestalten, 2023) Helfer, Dominic; Rothe, Felix; Bodach, RonnyThe specifications of file and directory paths in forensic artifacts of Windows 1x systems are not uniform. A correlation of paths is needed to prove the hypothesis that two paths in different artifacts describe the same file. During runtime of Windows, this correlation is managed inside the NT Object Manager [Al22]. The available information of the NT Object Manager is lost when Windows is shut down, so an analyst with the appropriate knowledge and experience must perform the correlation of paths manually. A mapping of the NT Object Manager is required to develop forensic tools that allow an automated correlation of paths. The mapping was used to develop a reconstruction approach based on an empirical study of differently configured Windows 1x systems. This allows for post-mortem path correlation using non-volatile data.