Konferenzbeitrag
Post-mortem path correlation based on the NT Object Manager in Windows 1x systems
Lade...
Volltext URI
Dokumententyp
Text/Conference Paper
Zusatzinformation
Datum
2023
Autor:innen
Zeitschriftentitel
ISSN der Zeitschrift
Bandtitel
Verlag
Gesellschaft für Informatik e.V.
Zusammenfassung
The specifications of file and directory paths in forensic artifacts of Windows 1x systems are not uniform. A correlation of paths is needed to prove the hypothesis that two paths in different artifacts describe the same file. During runtime of Windows, this correlation is managed inside the NT Object Manager [Al22]. The available information of the NT Object Manager is lost when Windows is shut down, so an analyst with the appropriate knowledge and experience must perform the correlation of paths manually. A mapping of the NT Object Manager is required to develop forensic tools that allow an automated correlation of paths. The mapping was used to develop a reconstruction approach based on an empirical study of differently configured Windows 1x systems. This allows for post-mortem path correlation using non-volatile data.