The design and implementation of live forensics for Windows systems.

• Main Author: 許菫容
• Other Authors: 楊中皇
• Format: Others
• Language: zh-TW
• Published: 2013
• Online Access: http://ndltd.ncl.edu.tw/handle/81646413310667745343

碩士 === 國立高雄師範大學 === 資訊教育研究所 === 101 === With the ever-changing technological development, the computer and network have played an important part in people’s life, such as shopping, ticketing, communications, etc. These footprints are retained in the computer. When the crime occurs, the data in the computer will become the evidence and the clues of the case. The most important computer collected evidence is the volatile data when the computer does not shut down. Even if the criminal suspects use anti-forensics technology like private browsing mode or delete files, some clues are still remained in the computer's memory. At this time, the live computer forensics system can come in handy. This study focuses on a variety of free tools to collect, compare, analyze and choose suitable software. It integrates into live forensics software packages, providing power-on environment to use the Windows operating system, which is named Windows CSI (Windows Crime Scene Investigation). Windows CSI provides two options: the way of automation and customization perform forensics analysis. The customization can allow users to choose the required steps and items, and it is combined with the batch file. Each step can finish at one time. At the end, it is automated to produce the reports. Windows CSI refers to many tools. It uses a language of Object Pascal and integrates the various forensics software according to the way of Creative Commons license. This paper focuses on study of volatile memory, and the other parts will be omitted.