Post-mortem path correlation based on the NT Object Manager in Windows 1x systems
| dc.contributor.author | Helfer, Dominic | |
| dc.contributor.author | Rothe, Felix | |
| dc.contributor.author | Bodach, Ronny | |
| dc.contributor.editor | Klein, Maike | |
| dc.contributor.editor | Krupka, Daniel | |
| dc.contributor.editor | Winter, Cornelia | |
| dc.contributor.editor | Wohlgemuth, Volker | |
| dc.date.accessioned | 2023-11-29T14:50:32Z | |
| dc.date.available | 2023-11-29T14:50:32Z | |
| dc.date.issued | 2023 | |
| dc.description.abstract | The specifications of file and directory paths in forensic artifacts of Windows 1x systems are not uniform. A correlation of paths is needed to prove the hypothesis that two paths in different artifacts describe the same file. During runtime of Windows, this correlation is managed inside the NT Object Manager [Al22]. The available information of the NT Object Manager is lost when Windows is shut down, so an analyst with the appropriate knowledge and experience must perform the correlation of paths manually. A mapping of the NT Object Manager is required to develop forensic tools that allow an automated correlation of paths. The mapping was used to develop a reconstruction approach based on an empirical study of differently configured Windows 1x systems. This allows for post-mortem path correlation using non-volatile data. | en |
| dc.identifier.doi | 10.18420/inf2023_70 | |
| dc.identifier.isbn | 978-3-88579-731-9 | |
| dc.identifier.pissn | 1617-5468 | |
| dc.identifier.uri | https://dl.gi.de/handle/20.500.12116/43193 | |
| dc.language.iso | en | |
| dc.publisher | Gesellschaft für Informatik e.V. | |
| dc.relation.ispartof | INFORMATIK 2023 - Designing Futures: Zukünfte gestalten | |
| dc.relation.ispartofseries | Lecture Notes in Informatics (LNI) - Proceedings, Volume P-337 | |
| dc.subject | Digital Forensics | |
| dc.subject | Path Correlation | |
| dc.subject | Windows Artifacts | |
| dc.subject | NT-Object Manager | |
| dc.title | Post-mortem path correlation based on the NT Object Manager in Windows 1x systems | en |
| dc.type | Text/Conference Paper | |
| gi.citation.endPage | 606 | |
| gi.citation.publisherPlace | Bonn | |
| gi.citation.startPage | 597 | |
| gi.conference.date | 26.-29. September 2023 | |
| gi.conference.location | Berlin | |
| gi.conference.sessiontitle | Cybersecurity & Privatsphäre - 3. International Workshop on Digital Forensics / IWDF3 |
Dateien
Originalbündel
1 - 1 von 1
Vorschaubild nicht verfügbar
- Name:
- 03_02_03_Helfer.pdf
- Größe:
- 534.26 KB
- Format:
- Adobe Portable Document Format