Post-mortem path correlation based on the NT Object Manager in Windows 1x systems

The specifications of file and directory paths in forensic artifacts of Windows 1x systems are not uniform. A correlation of paths is needed to prove the hypothesis that two paths in different artifacts describe the same file. During runtime of Windows, this correlation is managed inside the NT Object Manager [Al22]. The available information of the NT Object Manager is lost when Windows is shut down, so an analyst with the appropriate knowledge and experience must perform the correlation of paths manually. A mapping of the NT Object Manager is required to develop forensic tools that allow an automated correlation of paths. The mapping was used to develop a reconstruction approach based on an empirical study of differently configured Windows 1x systems. This allows for post-mortem path correlation using non-volatile data.

Helfer, Dominic; Rothe, Felix; Bodach, Ronny (2023): Post-mortem path correlation based on the NT Object Manager in Windows 1x systems. INFORMATIK 2023 - Designing Futures: Zukünfte gestalten. DOI: 10.18420/inf2023_70. Bonn: Gesellschaft für Informatik e.V.. PISSN: 1617-5468. ISBN: 978-3-88579-731-9. pp. 597-606. Cybersecurity & Privatsphäre - 3. International Workshop on Digital Forensics / IWDF3. Berlin. 26.-29. September 2023

Schlagwörter

Digital Forensics , Path Correlation , Windows Artifacts , NT-Object Manager

DOI

10.18420/inf2023_70

Sammlungen

P337 - INFORMATIK 2023 - Designing Futures: Zukünfte gestalten

Komplettanzeige

Post-mortem path correlation based on the NT Object Manager in Windows 1x systems

Volltext URI

Dokumententyp

Dateien

Zusatzinformation

Datum

Autor:innen

Zeitschriftentitel

ISSN der Zeitschrift

Bandtitel

Quelle

Verlag

Zusammenfassung

Beschreibung

Schlagwörter

Zitierform

DOI

Tags

Sammlungen